Poseidon

Poseidon (RodrigoStealer) is an information stealer targeting macOS users, masquerading as legitimate applications such as the Arc browser. It is designed to exfiltrate sensitive data, including system information, browser credentials, cryptocurrency wallets, and documents. It has been associated with Russian-speaking cybercriminal communities and is actively distributed through phishing campaigns and compromised websites.

Symptoms

You might observe the following artifacts associated with this threat:

• Unexpected prompts requesting system passwords during application installations.
• Presence of unfamiliar applications or processes running in the background.
• Unauthorized access to sensitive information, such as browser data or cryptocurrency wallets.

Technical Breakdown

Poseidon is distributed through malicious Google ads that redirect users to fake websites offering popular applications like the Arc browser. The downloaded disk image (DMG) files resemble legitimate installers but prompt users to bypass security protections by right-clicking to open the file. Once executed, Poseidon can perform various malicious activities, including:

• Collecting system information.
• Stealing browser data and cookies.
• Exfiltrating cryptocurrency wallets.
• Accessing password managers such as Bitwarden and KeePassXC.
• Looting VPN configurations from Fortinet and OpenVPN.

The stolen data is then exfiltrated to a remote server controlled by the attackers.

Next Steps

Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.

While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.

In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.