A particularly nasty new piece of MacOS malware has experts issuing warnings for both users and administrators.
Dubbed "Poseidon," the infection seeks to harvest user account credentials and VPN configurations with the end goal being the theft or resale of the pilfered data. In this case, researchers believe that the attacks are the first phase of a planned malware-for-hire service.
According to researchers with antimalware vendor Malwarebytes, the info-stealing trojan has been spreading itself via Google ads that pose as links to download the popular Arc web browser. When the target clicks on the ad, they are redirected to a lookalike site that then offers a trojan download.
Launching the supposed browser installer instead launches the malware package and begins the process of infection.
Malwarebytes researcher Jerome Segura explained that the actual malware payload, dubbed OSX.RodStealer appears to be the work of an aspiring malware writer aiming to create a rival offering to the notorious AtomicStealer malware family.
“A threat actor known by his handle as Rodrigo4 in the XSS underground forum has been working on a stealer with similar features and code base as the notorious Atomic Stealer (AMOS). The service consists of a malware panel with statistics and a builder with custom name, icon and AppleScript,” Segura noted.
“The stealer offers functionalities reminescent of Atomic Stealer including: file grabber, crypto wallet extractor, password manager (Bitwarden, KeePassXC) stealer, and browser data collector.”
The researcher noted that info-stealing trojans for MacOS are becoming increasingly popular amongst cybercriminals. In most cases the malware will look to steal not only account credentials, but also crypto wallet keys, browser history, and VPN access configurations.
Malwarebytes recommends that (aside from buying antimalware products) Mac users can protect themselves from infection by keeping a close eye on the sources of their application downloads and avoid any suspicious sites or unsigned installers.
“Seeing campaigns distributing the new malware payload confirms that the threat is real and actively targeting new victims,” Segura noted.
“Staying protected against these threats requires vigilance any time you download and install a new app.”
