Executive Summary

Security researchers are tracking a new, rapidly spreading campaign of the Odyssey Stealer malware, which is specifically targeting Apple macOS users. First observed targeting users in the U.S. and Europe, the campaign quickly expanded globally within 24 hours to include countries across Asia, Africa, and South America. Odyssey Stealer is a potent information-stealing malware that exfiltrates browser credentials, cryptocurrency wallet data, and system information. This new variant employs sophisticated evasion techniques, using builders to generate unique samples with modified strings and obfuscation, thereby challenging traditional signature-based detection methods. The primary infection vectors are social engineering tactics, including trojanized applications, cracked software, and phishing websites.

Threat Overview

• Malware: Odyssey Stealer (macOS variant)
• Threat Type: Information Stealer (Infostealer)
• Target Platform: Apple macOS
• Infection Vector: Social engineering, including fake applications, cracked software downloads, and phishing.
• Objective: Theft of sensitive personal and financial information, including browser credentials, session cookies, and cryptocurrency wallets.
• C2 Communication: Exfiltrates data over HTTPS to C2 domains such as Odyssey.c2net.top.

The campaign's rapid geographic expansion and use of polymorphic techniques indicate a well-organized and determined threat actor focusing on the growing macOS user base, which has historically been perceived as a safer platform.

Technical Analysis

Odyssey Stealer is designed for efficient and stealthy data theft on macOS.

1. Initial Access: The user is lured into downloading and executing a malicious application. This could be a fake update for a popular app, a cracked version of paid software from a torrent site, or a download from a phishing page (T1204.002).

2. Execution & Persistence: Once executed, the malware installs itself on the system. It may use various persistence techniques common to macOS, such as creating LaunchAgents or LaunchDaemons to ensure it runs automatically upon system startup (T1543.001).

3. Defense Evasion: The key feature of this new variant is its use of builders. These tools automatically alter the malware's code, changing strings and applying new layers of obfuscation for each sample. This creates a large number of unique hashes, a technique known as polymorphism, which can defeat simple signature-based antivirus detection (T1027).

4. Collection: The stealer is programmed to locate and parse data from specific locations on the file system. It targets:

   • Browser Data: It hooks into running browser processes or directly accesses their profile folders to steal saved passwords, cookies, and autofill data from Safari, Chrome, and Firefox (T1555.003).
   • Cryptocurrency Wallets: It searches for files associated with popular cryptocurrency wallets (e.g., wallet.dat) (T1552.001).
   • System Information: It gathers details about the infected machine, such as OS version, hardware, and username (T1082).

5. Exfiltration: All collected data is bundled, likely compressed and encrypted, and sent to a remote C2 server via an HTTPS POST request, making the traffic appear like legitimate web activity.

Impact Assessment

A successful infection by Odyssey Stealer can have severe consequences for individuals and organizations:

• Financial Loss: Theft of banking credentials and cryptocurrency wallets can lead to direct financial theft.
• Identity Theft: Compromise of personal information and credentials from various online accounts can be used for identity theft and further fraud.
• Corporate Compromise: If a corporate device is infected, the stolen credentials could provide attackers with access to sensitive company resources, including cloud applications, VPNs, and internal networks.

Detection & Response

• Endpoint Protection: Use a modern EDR or next-generation antivirus (NGAV) solution on macOS endpoints that relies on behavioral analysis rather than just signatures to detect threats like Odyssey Stealer.
• Network Monitoring: Monitor outbound network traffic for connections to known malicious domains like Odyssey.c2net.top. Egress filtering and SSL/TLS inspection can help identify C2 communications.
• Suspicious Downloads: Investigate alerts related to users downloading software from untrusted sources or disabling built-in macOS security features like Gatekeeper.

Mitigation

• User Education: Train users to only download software from the official Mac App Store or directly from verified developer websites. Warn them about the dangers of cracked software and phishing attempts.
• Enforce macOS Security Features: Ensure that macOS security settings like Gatekeeper and XProtect are enabled and configured to prevent the execution of unsigned or unnotarized applications.
• Principle of Least Privilege: Users should not run with administrative privileges for daily tasks. This can prevent malware from installing itself system-wide or gaining deep persistence.
• Password Management: Encourage the use of password managers. While the stealer can target these, they often promote the use of unique, strong passwords for each site, which can limit the blast radius of a credential breach.