Hackers have been exploiting Mac Stealer to quietly extract sensitive information such as passwords, financial data, and personal files from macOS devices, with macOS users being prime targets. Recently, on June 24th, Malwarebytes researchers uncovered a new Mac-specific stealer campaign called Poseidon, using Google malicious ads for the Arc browser as a lure.

This marks the second instance of Arc being employed as bait by OSX, with the previous one being the distribution of malware by RodStealer. Created by Rodrigo4, a threat actor who rivaled Atomic Stealer, this tool is more sophisticated and can even steal VPN configurations, posing a serious threat to Mac users.

The campaign for this malware was discovered on the XSS underground forum, offering similar functionalities to Atomic Stealer such as grabbing files, extracting crypto wallets, and stealing password managers. The ad campaign highlights a shift in the tactics employed by attackers responsible for Mac-related malware, leveraging popular software to deceive unsuspecting users.

A Google ad campaign promoting the Arc browser that redirects users to a fraudulent site offering a Mac-only version is connected to “Coles & Co” and arcthost[.]org. The downloaded DMG file employs a right-click bypass for security, making it appear as a legitimate Mac application installation process.

Poseidon, the latest malware in the series, contains incomplete code designed to steal VPN configurations from leading providers such as Fortinet and OpenVPN. The exfiltrated data is sent to a specific IP address, leading to a Poseidon-branded control panel, indicating a continuously evolving risk to MacOS users.

With an active scene in Mac malware development focusing on stealers like Poseidon, threat actors are actively marketing feature-rich products with low antivirus detection rates to entice potential customers. The ongoing campaign underlines the continued targeting of new victims, necessitating vigilance when installing new applications.

Malwarebytes has identified this threat as OSX.RodStealer and has alerted Google about the malicious ad. Users are strongly advised to utilize web protection tools like Malwarebytes Browser Guard to block ads and malicious websites as the primary defense against evolving Mac-targeted threats.

In conclusion, the emergence of the Poseidon malware through a malicious Google ad campaign underscores the evolving tactics employed by attackers targeting MacOS users. With the use of popular software as lures, threat actors continue to adapt and find new ways to exploit vulnerabilities. As the threat landscape evolves, users must remain vigilant and take proactive measures to safeguard their personal information and devices from malicious actors.

Link na izvor