MacOS Infostealers on the Rise with Atomic, Poseidon, and Cthulhu Stealer

A surge in macOS-targeted information-stealing malware has been observed throughout 2024, with a notable increase in malicious activity linked to infostealers such as Atomic Stealer, Poseidon Stealer, and Cthulhu Stealer. Unit 42 reports that their telemetry detected a 101% rise in macOS infostealer activity between the last two quarters of 2024. The accessibility of these malware-as-a-service (MaaS) offerings continues to grow, facilitated by their distribution in cybercrime forums and messaging services such as Telegram. These malware variants primarily leverage Apple's native AppleScript framework, allowing attackers to manipulate system processes and execute malicious payloads. "Infostealers leveraging macOS often exploit the native AppleScript framework. This framework provides extensive OS access, and it also simplifies execution with its natural language syntax," explains Unit 42. The use of AppleScript enables malware authors to craft deceptive prompts that closely resemble legitimate system messages, coercing victims into unknowingly providing their credentials.

Atomic Stealer (aka AMOS), has undergone multiple iterations, evolving from its initial Go-based versions to more recent C++ variants. The malware is commonly distributed through malvertising campaigns. Upon execution, Atomic Stealer initiates a password prompt via AppleScript using the command “osascript -e display dialog”, requesting credentials under the guise of a system update. In addition to credential capture, it executes “dscl /Local/Default -authonly administrator” to validate the input. This malware targets various data, including browser passwords, cryptocurrency wallets, instant messaging data from Telegram and Discord, and stored documents. The malicious payloads are often Python or Mach-O binaries, ensuring compatibility across various macOS environments.

Poseidon Stealer, another macOS infostealer, is often spread through Trojanized software installers found in malicious Google Ads and phishing emails. The malware relies on encoded AppleScript files to execute its payload, which includes credential harvesting, browser cookie theft, and exfiltration of data stored in the macOS Notes application. Once installed, Poseidon displays an authentication dialog box using osascript to obtain credentials. Additionally, it interacts with the SQLite database to extract stored notes. The malware’s osascript activity automates renaming, organizing, and manipulating files and folders while applying filters to exclude specific items. Poseidon is also capable of extracting passwords from password managers such as Bitwarden and KeePassXC.

Cthulhu Stealer, also distributed as a MaaS offering, is sold on Telegram and mimics legitimate software applications. Like other macOS infostealers, Cthulhu presents a fake system dialog using osascript, prompting users for their password. Once executed, the malware targets sensitive data, including browser-stored credentials, cryptocurrency wallets, FileZilla configuration files, and macOS Keychain entries. It also searches for files with extensions such as .png, .jpg, .pdf, .doc, and .xlsx, aiming to collect valuable user documents. Additionally, Cthulhu employs the command “bash -c openssl enc -base64 -d aes-128-cbc -iv” to decode Base64-encoded data and decrypt it using AES-128-CBC encryption. The malware gathers information from applications such as Telegram and the gaming platform Battle[.]net, broadening its scope of potential victims. Stolen data is stored in /Users/Shared/NW before being uploaded to a command-and-control server.

Unit 42 warns that the continued growth of macOS infostealers presents risks ranging from data exfiltration to enabling ransomware infections. These malware variants exploit macOS security mechanisms by manipulating AppleScript and using deceptive prompts to bypass user scrutiny. While Windows remains the dominant platform in enterprise environments, macOS malware should not be ignored as its prevalence continues to rise.