We recently identified a growing number of attacks targeting macOS users across multiple regions and industries. Our research has identified three particularly prevalent macOS infostealers in the wild, which we will explore in depth: Poseidon, Atomic and Cthulhu. We’ll show how they operate and how we detect their malicious activity.
Infostealers can sometimes be viewed as a less worrisome type of threat due to their more limited functionality compared to, for example, remote access Trojans. But by exfiltrating sensitive credentials, financial records and intellectual property, infostealers often lead to data breaches, financial losses and reputational damage. These are all things organizations need to take seriously. A recent analysis of these attacks shows that infostealers account for the largest group of new macOS malware in 2024. In our own telemetry, we detected a 101% increase of macOS infostealers between the last two quarters of 2024.
Palo Alto Networks customers are better protected against the infostealers presented in this research through Cortex XDR and XSIAM, and Cloud-Delivered Security Services for our Next-Generation Firewall, such as Advanced WildFire, Advanced DNS Security and Advanced URL Filtering.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
Related Unit 42 Topics | macOS, Infostealers |
Infostealers are a type of malware that is primarily designed to steal a wide range of sensitive information. This information ranges from financial details to the credentials of various services to sensitive files stored on the compromised hosts. Financial details can include payment card details, banking information and crypto wallets.
Most infostealers are indiscriminate, aiming to maximize data collection for impact and monetization. This broad range of information stealing capabilities exposes organizations to significant risks, including data leaks and providing initial access for further attacks, such as ransomware deployment.
Infostealers leveraging macOS often exploit the native AppleScript framework. This framework provides extensive OS access, and it also simplifies execution with its natural language syntax. Since these prompts can look like legitimate system prompts, threat actors use this framework to trick victims via social engineering. For example, they can prompt them to enter credentials or trick them into disabling security controls.
Our research, using Cortex XDR telemetry from macOS environments, identified three particularly prevalent infostealers: Atomic Stealer, Poseidon Stealer and Cthulhu Stealer.
This article focuses on these stealers, their interaction with the macOS operating system, and how our products detect their tactics, techniques and procedures (TTPs).
Also known as AMOS, Atomic Stealer was discovered in April 2023. The developers of Atomic Stealer sell it as malware as a service (MaaS) in hacker forums and on Telegram.
The threat intelligence community has observed several different versions of this infostealer. Earlier versions were written in Go, and the more recent versions are written in C++. Some versions of Atomic Stealer drop a Python script, and other versions use Mach-O binaries.
The Atomic Stealer operators usually distribute their malware via malvertising. It is capable of stealing the following information:
Figure 1 shows the execution flow of Atomic Stealer, during one of its operations disguised as a legitimate installation file. This threat attempted to access the file at /Users/$USER$/Library/Application Support/Google/Chrome/Default/Login Data, which stores Google Chrome login credentials.
Someone using the alias “Rodrigo4” has advertised Poseidon Stealer in hacker forums, as shown in Figure 2. Rodrigo4 is allegedly a former coder for Atomic Stealer, and Poseidon Stealer is considered a fork or direct competitor of Atomic Stealer.
By August 2024, Rodrigo4 sold the Poseidon Stealer MaaS to an unknown source. However, the malware has apparently remained active since then.
Poseidon Stealer infects machines via the download of Trojanized installers pretending to be legitimate applications. Its operators usually distribute it via Google ads and malicious spam emails.
The malicious installer contains an encoded AppleScript file. During the installation process, the malicious installer decodes and executes the AppleScript.
Figure 3 shows an example of a Trojanized application installer in a macOS environment that will install Poseidon Stealer.
After the victim tries to install the application, Poseidon Stealer prompts them with a dialog box to get their password, as shown in Figure 4.
Poseidon Stealer sends its stolen information to a web server controlled by the attackers. Figure 5 shows the login page of the Poseidon Stealer control panel from one of these web servers.
Poseidon Stealer executes the main logic of the malware through malicious AppleScript. Figure 6 shows the execution of Poseidon Stealer as detected by Cortex XDR.
Poseidon Stealer uses the AppleScript to perform the following activities:
Cthulhu Stealer is another popular infostealer sold as MaaS via Telegram, by operators who call themselves “Cthulhu Team.” Cthulhu Stealer is written in Go and its operators propagate it via malicious application installers. An example of one of these installers is shown in Figure 7.
When executed, the malicious installer presents a fake dialog box claiming an update is needed for the system setting and asks for a password. Next, a second dialog box pops up, this time requesting a MetaMask password as shown in Figure 8.
Cthulhu Stealer targets a broad range of information from a compromised macOS endpoint. This information includes:
Figure 10 shows the execution of Cthulhu Stealer in Cortex XDR, disguised as a macOS cleaner application. In this image, Cthulhu Stealer executes a command using AppleScript to display a dialog box to the victim and attempts to decode encrypted browser data.
Cthulhu Stealer saves the stolen data in a directory at /Users/Shared/NW and uploads it to a command-and-control server. Figure 11 shows the different file names this threat stores data in.
This article reviews three prominent macOS infostealer threats, Atomic Stealer, Posedion Stealer and Cthulhu Stealer. These threats are significant not only for what they can steal directly but also because they can represent an entry point for additional malicious activity. For example, a breach that deploys an infostealer may lead to ransomware deployment later.
Implementing advanced macOS detection modules is a step forward in identifying and countering these threats.
Given the pace at which attackers are evolving their methods, a proactive and multi-layered defense strategy is essential for any organization aiming to protect its assets.
The new Cortex XDR macOS Analytics suites include the following detection suites:
These suites monitor sensitive file access and unusual AppleScript executions, and they have helped us identify malicious activities associated with threat actors trying to steal sensitive information from organizational macOS endpoints.
Additionally:
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.