A new stealer malware named Poseidon is being distributed that targets Mac users by sharing code with the well-known Atomic Stealer and is designed to steal various data, including files, browser information, and credentials from password managers.
The malware is being distributed through malvertising campaigns with ads disguised as legitimate downloads for the Arc browser.
The author of this malware, known as Rodrigo4, previously offered a similar stealer but has rebranded it as Poseidon, likely to improve recognition and potentially attract more users.
Malvertisers exploited the hype surrounding Arc Browser’s Windows launch by deploying a Google Ads campaign, which disguised official promotions by “Coles & Co.” and displayed the legitimate Arc website (arc.net) but upon clicking, they redirected users to a spoofed download site (arcthost.org), which then further redirected them to another fake site (arc-download.com) offering a non-existent Mac version of Arc, and aimed to trick users into downloading potentially malicious software disguised as the desired Arc browser.
A downloaded DMG file appears to be a standard Mac application installer but lacks the vulnerability that allows bypassing security through a right-click open method, which suggests that the DMG might be malicious, attempting to masquerade as legitimate software while lacking a known exploit for security measures.
Researchers at MalwareBytes Labs discovered unfinished code in the new “Poseidon” stealer that suggests additional functionalities beyond its current capabilities. The malware was also recently advertised to target VPN configurations from Fortinet and OpenVPN.
An excerpt from a forum post reveals a command using curl to send stolen data, including the victim’s machine ID, builder ID, and potentially compressed data (out.zip), to a server under the attackers’ control.
The IP address in the command leads to a login page for a web interface branded as “Poseidon,” likely a custom control panel for managing stolen information.
Mac malware developers are actively creating stealers, which are programs designed to steal user data and are often advertised with features like rich functionality and low antivirus detection rates.
The recent Poseidon campaign that disseminated a new stealer variant exemplifies the danger that this kind of malware actually poses.
Users can protect themselves by being cautious when downloading and installing new applications. Security software with web protection features that block malicious ads and websites can be a valuable first line of defense.
An investigation identified a potential phishing campaign leveraging Google Ads, as the compromised ad domain, arcthost.org, likely redirects users to a decoy site, arc-download.com, which offers a malicious download, Arc12645413.dmg.
The SHA256 hash, c1693ee747e315419f84dfa89e36ca5b74074044b181656d95d7f40af34a05, suggests that the payload might be malware, and the malware could use the identified C2 server, 79.137.192.4/p2p, to communicate with the attacker.
.webp?w=1200&resize=1200,0&ssl=1&description=The malware is being distributed through malvertising campaigns with ads disguised as legitimate downloads for the Arc browser. ){kind=link}