Summary:
Elastic Security Labs has uncovered a new stealer malware dubbed Banshee Stealer designed to target Apple macOS systems. Banshee Stealer is currently advertised on cybercriminals forums for a price tag of $3,000 per month. The stealer is capable of targeting a wide range of browsers, cryptocurrency wallets, and approximately 100 browser extensions. Web browsers and crypto wallets targeted by Banshee Stealer include Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, Ledger, etc.

A notable feature of Banshee Stealer is its ability to collect data from various files matching .txt, .docx, .rtf, .doc, .wallet, .keys, and .key extensions from the Desktop and Documents folders. The malware also is equipped with anti-analysis and anti-debugging measures, allowing it to avoid execution within virtual environments. Data gathered by Banshee Staler is typically compressed into a ZIP file using the ‘ditto’ command. This file is then XOR encrypted and base64 encoded and further sent to the C2 server via a post request.

Security Officer Comments:
The developers of Banshee Stealer are likely of Russian origin given that the stealer uses the CFLocaleCopyPreferredLanguages API to avoid infecting systems where Russian is the primary language. Similar to previous macOS strains (Cuckoo and MacStealer) that have been identified by researchers, Banshee Stealer employs a Osascript password prompt with a dialog stating that that to user needs to enter their password to update system settings. With access to system credentials actors could escalate privileges to access sensitive files and move laterally to other systems and resources of interest.

Suggested Corrections:
Info stealers are typically distributed via phishing emails or through the advertisement of downloads for various software. Organizations should train employees to take caution when receiving emails from unknown users, especially those requesting to click on a link or attachment. When in doubt, such activity should be promptly reported to IT staff. In general users should also avoid torrenting software and clicking on search results that are labeled ‘sponsored,’ as adversaries are known for purchasing ads to promote domains hosting malicious software.

YARA rules and IOCs can be found here.

Link(s):
https://thehackernews.com/2024/08/new-banshee-stealer-targets-100-browser.html
https://www.elastic.co/security-labs/beyond-the-wail