Odyssey Stealer Malware Threatens macOS Users Globally
The Odyssey Stealer malware has resurfaced, targeting macOS users in over 100 countries worldwide. This malicious software is designed to harvest sensitive information, including login credentials, browsing history, cryptocurrency assets, and other critical files. It poses a substantial risk to both personal and professional accounts.
How Odyssey Stealer Infiltrates Systems
The malware spreads through deceptive software prompts and fake update notifications, employing social engineering tactics that trick users into executing harmful commands. Once activated, Odyssey Stealer discreetly scans devices for valuable information, which is then transmitted to servers controlled by the attackers.
Unlike many other malware campaigns, this one takes advantage of everyday user behavior rather than exploiting newly discovered weaknesses in macOS. As a result, even users with updated systems are at risk if they fail to verify the legitimacy of software sources.
Significant Risks for Cryptocurrency Users
Odyssey Stealer poses a heightened threat to cryptocurrency users by targeting around 300 different wallet extensions. This allows cybercriminals to cast a wide net, making it easier to compromise browser-based wallets. Additionally, the malware seeks out wallet files from 16 desktop cryptocurrency applications, including well-known names like Electrum and Ledger Live.
Beyond wallets, the malware also aims to steal browser passwords and session cookies, potentially giving attackers unauthorized access to online accounts without needing passwords. This threat extends to developers and remote workers, as it can also collect SSH keys and configuration data for cloud services.
Ensuring Long-term Persistence and Evasion
To remain undetected, Odyssey Stealer installs a persistent LaunchDaemon on infected Macs, enabling it to automatically restart after a system reboot. This persistence mechanism increases the malware’s chances of continuing its data collection activities without the user reopening the initial lure.
Moonlock Lab reports that the operation can replace legitimate cryptocurrency applications with trojanized versions, leading users to unknowingly redirect cryptocurrency transactions to the attackers. The malware’s use of a primary command-and-control server, along with fallback domains, ensures continued communication and data theft even if certain paths are blocked.
Protective Measures Against Odyssey Stealer
Users are advised to download software exclusively from official sources like vendor websites or the Mac App Store. Treat unexpected update prompts with skepticism and verify wallet apps before inputting recovery information.
Organizations should be vigilant for unfamiliar LaunchDaemons, unexpected outbound connections, and alterations to wallet applications. If an infection is suspected, disconnect the affected Mac from networks, change credentials using a secure device, review cryptocurrency accounts, and seek professional incident-response assistance.
Indicators of compromise include IP addresses and domains linked to the malware’s infrastructure, such as the primary command-and-control server at 165.245.215.18 and fallback domains like rahtam.com and scubin.com.
Proactively fortifying defenses against such threats is crucial to prevent significant financial losses. Integrating live threat feeds from security operations centers can enhance detection and response capabilities.
