Apple computer users are suffering a growing number of ‘infostealer’ attacks across multiple regions and industries. These are a form of malicious software created to breach computer systems in order to steal sensitive information.
The Palo Alto Networks Unit42 research group has detected a 101 percent increase in macOS infostealers in the last two quarters of 2024. The researchers identified three particularly prevalent macOS infostealers: Poseidon, Atomic, and Cthulhu.
The developers of Atomic Stealer sell it as malware as a service (MaaS) in hacker forums and on Telegram. The Atomic Stealer operators usually distribute their malware via malvertising – the use of online advertising to spread malware. This typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. It is capable of stealing notes and documents, browser data such as passwords, and cookies, cryptocurrency wallets, and instant messaging data. Atomic Stealer, also known as AMOS was first discovered in April 2023.
Distributed via Google ads and malicious spam
Poseidon Stealer infects machines via the download of malware installers pretending to be legitimate applications. Its operators usually distribute it via Google ads and malicious spam emails. A cybercriminal using the alias “Rodrigo4” has advertised Poseidon Stealer in hacker forums. Rodrigo4 is allegedly a former coder for Atomic Stealer. Poseidon Stealer is considered a direct competitor of Atomic Stealer. Poseidon Stealer uses the AppleScript to gather system information, steal browser passwords and cryptocurrency wallets, gather user credentials and notes from the macOS Notes application, and to collect Telegram data.
Cthulhu Stealer is another popular infostealer sold as MaaS via Telegram by a cybercriminal gang calling themselves the “Cthulhu Team.” Cthulhu Stealer is propagated via malicious application installers and targets a broad range of information from a compromised macOS endpoint. This includes highly sensitive data from major browsers such as Google Chrome; Microsoft Edge and Firefox plus Telegram data and Keychain and SafeStorage passwords.
According to Palo Alto Networks Unit42: “These [infostealer] threats are significant not only for what they can steal directly but also because they can represent an entry point for additional malicious activity. For example, a breach that deploys an infostealer may lead to ransomware deployment later.”
