New Banshee Stealer Targets 100+ Browser Extensions on Apple macOS Techniques

Aug 16, 2024Ravie LakshmananMalware / Browser Safety

Cybersecurity researchers have uncovered new stealer malware that is designed to particularly goal Apple macOS methods.

Dubbed Banshee Stealer, it is provided on the market within the cybercrime underground for a steep value of $3,000 a month and works throughout each x86_64 and ARM64 architectures.

“Banshee Stealer targets a variety of browsers, cryptocurrency wallets, and round 100 browser extensions, making it a extremely versatile and harmful menace,” Elastic Safety Labs said in a Thursday report.

The online browsers and crypto wallets focused by the malware comprise Safari, Google Chrome, Mozilla Firefox, Courageous, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, Exodus, Electrum, Coinomi, Guarda, Wasabi Pockets, Atomic, and Ledger.

It is also geared up to reap system info and knowledge from iCloud Keychain passwords and Notes, in addition to incorporate a slew of anti-analysis and anti-debugging measures to find out if it is working in a digital atmosphere in an try and evade detection.

Moreover, it makes use of the CFLocaleCopyPreferredLanguages API to keep away from infecting methods the place Russian is the first language.

Like different macOS malware strains equivalent to Cuckoo and MacStealer, Banshee Stealer additionally leverages osascript to show a pretend password immediate to trick customers into getting into their system passwords for privilege escalation.

Among the many different notable options embrace the flexibility to gather knowledge from numerous information matching .txt, .docx, .rtf, .doc, .pockets, .keys, and .key extensions from the Desktop and Paperwork folders. The gathered knowledge is then exfiltrated in a ZIP archive format to a distant server (“45.142.122[.]92/ship/”).

“As macOS more and more turns into a main goal for cybercriminals, Banshee Stealer underscores the rising observance of macOS-specific malware,” Elastic mentioned.

The disclosure comes as Hunt.io and Kandji detailed one other macOS stealer pressure that leverages SwiftUI and Apple’s Open Listing APIs for capturing and verifying passwords entered by the person in a bogus immediate displayed with the intention to full the set up course of.

“It begins by working a Swift-based dropper that shows a pretend password immediate to deceive customers,” Broadcom-owned Symantec said. “After capturing credentials, the malware verifies them utilizing the OpenDirectory API and subsequently downloads and executes malicious scripts from a command-and-control server.”

This growth additionally follows the continued emergence of latest Home windows-based stealers equivalent to Flame Stealer, at the same time as fake sites masquerading as OpenAI’s text-to-video synthetic intelligence (AI) software, Sora, are getting used to propagate Braodo Stealer.

Individually, Israeli customers are being targeted with phishing emails containing RAR archive attachments that impersonate Calcalist and Mako to ship Rhadamanthys Stealer.