To completely understand what’s going on in a market that has been growing in the last years I found mandatory to know which players are dominating it. Always remember that behind every user of the Internet there is another human like you, so if you can be kind enough to reach them and they agree, you can have a little talk. Asking things is not a crime.
Please note everything that stated on this blog has only an informational purpose. I will never promote the use of these products.
Let’s see, Poseidon, a brief talk with Rodrigo:
The interview was made in English. Original text is provided below.
One of the first Mac OS infostealers, or at least the one who got almost all of the attention is Atomic Mac OS (AMOS) by ping3r. The usage of AMOS has been widespread in recent months, but also other stealers are being spread, and these other products detected in the wild were misattributed to AMOS variants instead of the real product.
That’s what Rodrigo says: “for more than six months my samples were confused with AMOS”.
The rebranding has happened recently:
An infostealer has a very simple objective: steal data from a victim’s computer. There should not be too much room to play around.
Mac OS has become the second most popular operating system for desktops worldwide, so although it would never be as widespread as Windows, it has a large user base that will be growing in the next few years.
It would be great to compare geo-traffic installation sources from both Windows and Mac malware campaigns, but targeting Mac OS users indeed implies targeting what is known as “rich” countries.
Everything is about money
It is very well known that infostealers are used in organized groups known as Traffer Teams in order to weaponize them into big malware campaigns spread over the Internet. If you are not familiar with this concept I invite you to take a look at this first :) (https://medium.com/@g0njxa/list/profiling-5f20092e3a58). It is an usual behavior nowadays that not an individual, but a bunch of individuals working under an organized team, runs big malware campaigns, and this behavior can lead to misattributions.
I personally have seen Atomic Mac OS Stealer being used in some traffer teams, with victim records published in their channels that look like this:
But I have never seen a Poseidon record on any of the traffer teams I have visited, so Rodrigo sent me an example of how a Poseidon record looks:
MACOS LOG
DUPLICATE: false
IP: 49.37.55.223
COUNTRY: India
COUNTRY CODE: in
BUILDID: IB
NOTES: true
DOMAINS: [youtube.com google.com]COOKIES: 375
PASSWORDS: 2
WALLETS: 0 []
SOCIAL: 0
CARDS: 0
AUTOFILLS: 0
DATETIME: 2024–07–03 21:47:59.229370444 +0000 UTC m=+175775.656592768Poseidon MacOS
Rodrigo states that indeed there’s Poseidon activity on Traffer groups, but on those that are not publicly reachable (on forums like LOLZ Team). He references this Malwarebytes article:
I also believe that there’s a traffer team behind the campaign, working with Rodrigo’s product.
Poseidon stealer follows an anti-CIS rule, as other common infostealers nowadays. He enforces this rule, also towards other infostealers in the market.
Think twice, “Cybercrime is a very bad idea”
We’ll be ready :p
Extra
Remember to check the other interviews at: g0njxa — Medium
Expect more content,
Best regards. :p
