In a latest discovery by the CYFIRMA analysis group, a complicated malware marketing campaign dubbed Odyssey Stealer has been uncovered, focusing on macOS customers by way of a misleading technique referred to as Clickfix techniques.
This marketing campaign leverages typosquatted domains malicious web sites mimicking legit ones just like the macOS App Retailer, finance platforms, or cryptocurrency information portals to trick customers into executing dangerous AppleScripts (osascripts).
These scripts are engineered to reap delicate knowledge, together with browser cookies, saved passwords, cryptocurrency pockets data, and browser extensions, posing a extreme risk to people, significantly these engaged in monetary and crypto actions.
Odyssey Stealer Targets macOS Customers
The operation, linked to a command-and-control (C2) panel primarily hosted in Russia, showcases a professional-grade knowledge theft mechanism that prioritizes Western customers in america and the European Union whereas avoiding victims in CIS international locations, a sample usually related to Russian-aligned cybercriminal teams.
The Clickfix approach begins with the creation of visually related or typosquatted domains designed to use consumer typing errors.
Upon visiting these malicious websites, customers are greeted with a faux Cloudflare-style CAPTCHA immediate, accompanied by directions to repeat and paste a Base64-encoded command into their terminal.
In response to Cyfirma, this command fetches and executes a non-obfuscated osascript from servers like odyssey1[.]to or particular IP addresses, triggering a cascade of malicious actions.
Finance and Crypto Lovers at Excessive Danger
The script creates a brief listing, akin to /tmp/lovemrtrump, to retailer stolen knowledge, copies macOS Keychain recordsdata for credential theft, and deploys faux authentication prompts to seize consumer passwords.
It additional targets desktop cryptocurrency wallets like Electrum, Coinomi, and Exodus, alongside browser knowledge from Chrome, Firefox, and Safari, extracting non-public keys, seed phrases, session tokens, and private recordsdata from Desktop and Paperwork folders.
The stolen knowledge is then compressed right into a ZIP file (out.zip) and exfiltrated by way of a curl POST request to attacker-controlled servers, with persistent retry mechanisms making certain supply even underneath intermittent community circumstances.
Odyssey Stealer, a rebranded evolution of Poseidon Stealer and a fork of the AMOS Stealer, demonstrates superior capabilities within the macOS malware-as-a-service ecosystem.
Its management panel gives attackers a structured interface to handle contaminated units, customise malware builds, and hijack browser classes utilizing stolen cookies.
The malware’s give attention to over 100 browser extensions, significantly cryptocurrency-related ones like MetaMask, underscores its intent to maximise monetary achieve.
To fight this risk, organizations and people should undertake sturdy endpoint safety options, implement risk intelligence, and configure firewalls to dam recognized malicious IPs and domains.
Steady community monitoring, behavior-based anomaly detection, and safety consciousness coaching are crucial to mitigating dangers from such social engineering assaults.
As Odyssey Stealer continues to evolve underneath the suspected upkeep of “Rodrigo,” a key determine behind Poseidon and AMOS, vigilance and adaptive defenses stay paramount.
Indicators of Compromise (IoC)
| Indicator | Remarks |
|---|---|
| appmacosx[.]com | Malicious area |
| financementure[.]com | Malicious area |
| cryptoinfo-news[.]com | Malicious area |
| odyssey1[.]to | Odyssey C2 Panel |
| 45[.]135.232.33 | Odyssey C2 Panel |
| a0bdf6f602af5efea0fd96e659ac553e0e23362d2da6aecb13770256a254ef55 | Apple Script |
