Cyber security news for all

More

    New Banshee Stealer Targets Over 100 Browser Extensions on macOS Systems

    Cybersecurity experts have discovered a new piece of stealer malware specifically crafted to attack Apple macOS systems.

    Known as Banshee Stealer, this malware is being sold in the cybercriminal underworld for a hefty price of $3,000 per month, and it functions across both x86_64 and ARM64 architectures.

    “Banshee Stealer is a highly versatile and dangerous threat, targeting a broad spectrum of web browsers, cryptocurrency wallets, and approximately 100 browser extensions,” Elastic Security Labs revealed in a Thursday report.

    The malware’s targets include popular web browsers and cryptocurrency wallets such as Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, and Ledger.

    In addition to this, Banshee Stealer is capable of extracting system information and data from iCloud Keychain passwords and Notes. It also incorporates various anti-analysis and anti-debugging techniques to check if it’s being run in a virtual environment, thereby attempting to evade detection.

    Moreover, the malware employs the CFLocaleCopyPreferredLanguages API to avoid infecting systems where Russian is the primary language.

    Similar to other macOS malware like Cuckoo and MacStealer, Banshee Stealer uses osascript to display a fake password prompt, tricking users into entering their system passwords to escalate privileges.

    Other notable features include the ability to gather data from files with extensions like .txt, .docx, .rtf, .doc, .wallet, .keys, and .key located in the Desktop and Documents folders. The collected data is then exfiltrated in a ZIP archive to a remote server (“45.142.122[.]92/send/”).

    “As macOS continues to become a more significant target for cybercriminals, Banshee Stealer highlights the increasing trend of macOS-specific malware,” Elastic stated.

    This discovery comes as Hunt.io and Kandji have also detailed another macOS stealer strain that uses SwiftUI and Apple’s Open Directory APIs to capture and verify passwords entered by users through a fake prompt displayed during the installation process.

    “It starts by running a Swift-based dropper that presents a fake password prompt to deceive users,” Symantec, owned by Broadcom, explained. “After capturing credentials, the malware verifies them using the Open Directory API and then downloads and executes malicious scripts from a command-and-control server.”

    This development is occurring alongside the ongoing emergence of new Windows-based stealers like Flame Stealer, as well as fake sites posing as OpenAI’s text-to-video AI tool, Sora, being used to spread Braodo Stealer.

    Recent Articles

    Related Stories