New ‘Poseidon’ infostealer campaign unleashed on Mac users

A rebranded malvertising campaign – dubbed “Poseidon” by its creator – has been actively targeting Mac users via malicious Google Ads in an attempt to steal users’ personal information, a new Malwarebytes Lab report found.

The data stealing malware is being distributed through fake Google Ads advertising downloads for the relatively new Arc browser, the researchers warn.

The macOS stealer is said to have been developed as a rival alternative to the similarly built Atomic stealer (AMOS), sporting many of the same features including "a file grabber, crypto wallet extractor, password manager stealer (Bitwarden, KeePassXC), and a browser data collector.”

Its all about the Arc

The Malwarebytes threat intelligence team released the report on June 24th – making it the second time this year researchers have seen the Arc browser being used as bait for unsuspecting users drawn to its recent popularity.

Arc is freeware web browser touted as a Chrome replacement for macOS, iOS and Microsoft Windows. It was created by The Browser Company and initially released as a beta version in July 2023.

Arc browser
Image by Koshiro K | Shutterstock

Hackers first maliciously used the browser to distribute a Windows RAT (Remote Access Trojan), also by way of Google ads, to coincide with Arc’s stable Windows release this past May, Malwarebytes said.

The browser’s stable macOS version was also just released 11 days ago, making the choice to target Arc’s new Mac users an obvious pattern for Poseidon distributors (stable iOS was released on February 2nd).

The stealer campaign

During the ruse, the user would be lured to click on a realistic Google ad for the Arc browser. This would lead them to "arc-download[.]com, a completely fake site offering Arc for Mac only," Malwarebytes said.

If the users decided to click on the fraudulent download, instead of Arc, they would wind up downloading a malicious DMG file that resembled a legitimate installer.

To help raise awareness, Malwarebytes provided screenshots of what the deceptive ads look like, as well as the steps to avoid them so users do not accidentally download the malware.

Malwarebytes Poseidon Infostealer Screenshot 1
Malicious ad for Arc browser via Google search. Image by Malwarebytes Labs.
Malwarebytes Poseidon Infostealer Screenshot 2
Decoy website for Arc. Image by Malwarebytes Labs.
Malwarebytes Poseidon Infostealer Screenshot 3
Malicious Arc DMG installer. Image by Malwarebytes Labs.

Malwarebytes also provided some background on the stealer's author, a threat actor known as ‘Rodrigo4.’

The researchers noted that Poseidon was actually a rebrand of an earlier malicious payload Rodrigo4 created, the OSX.RodStealer, which they had already been tracking. Rodrigo4 had also added new capabilities to the infostealer, such as looting VPN configurations, the team said.

Malwarebytes intel “highly recommends” all users maintain ad-blockers for malicious ads and website protection on their devices and laptops, and stay vigilant when downloading and installing new apps.