August 16, 2024Ravie LakshmananMalware / Browser Security

Cybersecurity researchers have discovered new stealer malware specifically designed to target Apple macOS systems.

It’s called Banshee Stealer and is sold in the cybercrime underground for a hefty price of $3,000 per month. It works on both x86_64 and ARM64 architectures.

“Banshee Stealer targets a wide range of browsers, cryptocurrency wallets, and approximately 100 browser extensions, making it a versatile and dangerous threat,” Elastic Security Labs said in a report Thursday.

The web browsers and crypto wallets targeted by the malware include Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, and Ledger.

It is also equipped to collect system data and information from iCloud Keychain passwords and Notes. In addition, it includes a range of anti-analysis and anti-debugging measures to determine whether it is running in a virtual environment, in an attempt to evade detection.

Additionally, it uses the CFLocaleCopyPreferredLanguages ​​API to avoid infecting systems where Russian is the primary language.

Like other macOS malware strains such as Cuckoo and MacStealer, Banshee Stealer leverages osascript to display a fake password prompt and trick users into entering their system passwords to escalate privileges.

Other notable features include the ability to collect data from various files matching .txt, .docx, .rtf, .doc, .wallet, .keys and .key extensions from the Desktop and Documents folders. The collected data is then exfiltrated in a ZIP archive format to a remote server (“45.142.122(.)92/send/”).

“As macOS becomes an increasing target for cybercriminals, Banshee Stealer underscores the growing popularity of macOS-specific malware,” Elastic said.

The revelation comes as Hunt.io and Kandji describe another macOS stealer that uses SwiftUI and Apple’s Open Directory APIs to collect and verify passwords entered by the user into a fake prompt displayed to complete the installation process.

“It starts by executing a Swift-based dropper that displays a fake password prompt to trick users,” said Symantec, which is owned by Broadcom. “After capturing credentials, the malware verifies them using the OpenDirectory API, and then downloads and executes malicious scripts from a command-and-control server.”

This development also follows the continued emergence of new Windows-based stealers, such as Flame Stealer. Fake sites posing as Sora, OpenAI’s text-to-video artificial intelligence (AI) tool, are also being used to distribute Braodo Stealer.

In addition, Israeli users are being targeted with phishing emails containing RAR archive attachments. These emails are posing as Calcalist and Mako and are intended to distribute Rhadamanthys Stealer.