Overview
In late June 2024, a new strain of malware known as Poseidon Stealer emerged, targeting macOS systems in German-speaking Switzerland through a highly deceptive phishing campaign. This sophisticated piece of malware was disseminated via emails that appeared to be from AGOV, the official Swiss government login portal. By masquerading as legitimate communications from a trusted source, the cybercriminals behind Poseidon Stealer exploited the trust users place in government entities to facilitate the malware’s installation and execution.
Poseidon Stealer is designed with a specific objective: to compromise and exfiltrate sensitive data from infected macOS devices. The malware’s operation begins once the user unknowingly installs the malicious software, which is disguised as a legitimate application in the phishing emails. Once installed, Poseidon Stealer actively searches the victim’s computer for valuable information such as login credentials, private keys, cookies, and cryptocurrency wallet details. This sensitive data is then compressed into a ZIP file and sent to a central command and control (C2) server operated by the attackers, ensuring that the stolen information is securely exfiltrated.
Targets
Public Adminsitration
Individuals
Information
How they operate
Initial Infection and Delivery
The initial vector for Poseidon Stealer involves a well-crafted phishing email purporting to be from AGOV, the Swiss government login platform. The email lures victims into downloading a seemingly legitimate macOS application. This application, however, is a disguised version of Poseidon Stealer. Upon execution, the malware installs itself on the victim’s device, often without triggering any immediate alarms. The initial infection leverages social engineering to bypass typical user scrutiny, taking advantage of the perceived trustworthiness of the AGOV branding.
Data Extraction Process
Once installed, Poseidon Stealer begins its data exfiltration process by probing the system for a wide range of sensitive information. The malware targets various data types, including login credentials, private keys, cookies, and cryptocurrency wallets. It employs sophisticated scanning techniques to identify and collect this information from browser caches, keychains, and local storage. The data collection process is meticulous, ensuring that no critical information is overlooked.
After gathering the required data, Poseidon Stealer compresses the stolen information into a ZIP archive. This step not only consolidates the data into a manageable format but also helps evade detection by minimizing the footprint of the exfiltrated information. The ZIP file is then transmitted to a central command and control (C2) server controlled by the attackers. This transmission is often encrypted to prevent interception and analysis by security systems.
Persistence and Evasion Techniques
One of the notable features of Poseidon Stealer is its persistence mechanism. After successfully exfiltrating the data, the malware remains installed on the victim’s device but suspends its execution upon reboot. This approach helps Poseidon Stealer avoid detection by traditional antivirus solutions and system monitoring tools that might identify active malware processes. Despite its inactivity post-reboot, the malware remains on the system, allowing attackers to reactivate it or leverage it for future attacks if necessary.
Poseidon Stealer’s technical design illustrates a deliberate effort to balance effective data theft with stealth and persistence. Its operation involves a careful blend of social engineering, sophisticated data extraction techniques, and persistent stealth measures. The malware’s ability to remain undetected while continuously harvesting valuable information underscores the evolving sophistication of cyber threats and highlights the need for advanced security measures and user awareness in combating such threats.
MITRE Tactics and Techniques
Initial Access (T1071.001 – Application Layer Protocol)
The malware is delivered through phishing emails that mimic trusted sources, such as AGOV. This tactic uses social engineering to trick users into downloading and executing the malicious payload.
Execution (T1203 – Exploitation for Client Execution)
Upon receiving the malicious email, the victim is prompted to download and run a macOS application. The application, disguised as legitimate software, executes the Poseidon Stealer malware on the victim’s system.
Collection (T1119 – Automated Collection)
Once installed, Poseidon Stealer scans the system for sensitive data including login credentials, private keys, cookies, and crypto wallets. The malware systematically collects this data for exfiltration.
Exfiltration (T1041 – Exfiltration Over Command and Control Channel)
The collected data is compressed into a ZIP file and sent to a central command and control (C2) server. The exfiltration is performed over a secure channel to avoid detection.
Persistence (T1547.001 – Registry Run Keys / Startup Folder)
Poseidon Stealer maintains persistence on the infected device by remaining installed even after the device is rebooted. Although it does not actively execute after a reboot, it remains on the system, potentially allowing future activations.
Defense Evasion (T1070.004 – File Deletion)
After exfiltrating data, Poseidon Stealer ceases its active operation and hides its presence, making it harder for traditional detection mechanisms to identify and remove the malware.
References
