Don’t Fall for the Bait: Poseidon Stealer Masquerades as Sopha AI
In a new wave of cyberattacks, macOS users are being targeted by the Poseidon Stealer malware, disguised as an installer for the highly anticipated Sopha AI model from OpenAI. This sophisticated attack, discovered by eSentire’s Threat Response Unit (TRU), exploits the growing interest in artificial intelligence to trick users into downloading malicious software.
The Poseidon Stealer, specifically designed for macOS, employs a drive-by download technique, where users are redirected to a malicious website through deceptive Google Ads. Once on the site, victims are prompted to download a disk image file that appears to be the Sopha AI installer. However, this file contains the Poseidon Stealer payload, ready to infiltrate the user’s system.
Once executed, the malware employs a series of stealthy tactics to avoid detection. It detaches itself from the terminal session, ensuring its persistence even after the terminal window is closed. It then proceeds to collect a wide range of sensitive data, including browser information, cryptocurrency wallets, Apple Notes, Keychain data, and user documents.
One of the most alarming aspects of this attack is the malware’s ability to bypass macOS security measures. It attempts to access Chrome Safe Storage to retrieve the master encryption key, potentially granting it access to all of the user’s Chrome data. If this fails, it resorts to displaying a fake dialog box, tricking users into entering their macOS password.
The stolen data is then compressed into a ZIP file and sent to a remote server controlled by the attackers. This information can be used for a variety of malicious purposes, including identity theft, financial fraud, and further cyberattacks. To maintain stealth, Poseidon only collects data until a size limit of 210 MB is reached, ensuring the data can be transmitted quickly and discreetly.
Users are urged to exercise caution when downloading files, even from seemingly legitimate sources. It is also crucial to keep software up to date and to use strong, unique passwords for all accounts.
