Malvertising: Advertising for Arc delivers Poseidon malware for Mac

In a current malvertising campaign for the Arc web browser, criminals are trying to trick Mac users into using the Poseidon Infostealer.

The search returns spam, malware and scams.

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

Jul 1, 2024 at 4:56 pm CEST

3 min. read

Security

By

Dirk Knop

This article was originally published in German and has been automatically translated.

Cyber criminals are placing fake advertisements for the Arc web browser. However, the end result is not the installation of the browser they are looking for, but an infostealer that has been given the name Poseidon. The attackers are targeting Mac users.

Read also

Competition for Chrome and Edge: Arc for Windows is here

IT researchers at Malwarebytes have observed a new malvertisment campaign launched last week that distributes the Poseidon malware via malicious Google ads for the Arc browser. This is the second time that the Arc browser has been used as bait, they say. On that occasion, however, a remote access toolkit for Windows was distributed via it.

Competition among malware groups

The malware now being advertised is being actively developed as a competitor to Atomic Stealer, with a large part of the code being based on its predecessor. The detection is called OSX.RodStealer, based on the handle of the programmer, Rodrigo4. He renamed the malware to Poseidon and added a few new functions, such as the ability to bypass VPN configurations.

The programmer, who appears in an underground forum as Rodrigo4, works there with a comparable code base and similar functions to the Atomic Stealer malware. It is apparently an all-round feel-good package for (criminal) buyers. The service includes a malware panel with statistics and a builder that allows customized names, icons and AppleScript to be assigned. The data stealing functions are extensive and range from a file collector, crypto wallet extractor and password manager extractor for Bitwarden and KeePassXC to a browser data collector.

Background information on malicious Google advertising — Background information on malicious, fake advertising on Google.

(Image: Malwarebytes)

According to Malwarebytes, the malicious advertisement on Google was placed by a supposed company "Coles & Co" from the United Kingdom. The domain name refers to arcthost[.]org. Anyone who clicks on the advertisement is redirected to arc-download[.]com. The DMG archive offered there is similar to what one would expect for new Mac apps. What is unusual, however, is the explanation to open the file with a right-click - which bypasses security measures.

Portal to the Poseidon malware — A convenient portal can be found at the IP address that the malware uses to upload collected information.

(Image: Malwarebytes)

Malwarebytes sees an active scene that develops malware for Macs and focuses on Infostealer. A criminal business activity can be observed in the context of "malware-as-a-service". Sellers have to convince potential buyers that their "product" offers extensive functions and a low detection rate by anti-virus software. These recurring campaigns confirm that the threat is real. Users must always remain vigilant, especially when downloading and installing new apps.

In April, Malwarebytes' virus analysts also observed malware advertising campaigns. There, the masterminds behind the campaign were targeting system administrators.

(dmk)

Back to top

Alle Angebote

Newsletter heise-Bot Push Push-Nachrichten

${intro} ${title}