Cyber experts have unearthed a fresh filcher malware that’s meticulously crafted to go after Apple macOS systems.
Termed as Banshee Stealer, it’s available for purchase in the criminal underworld for a high cost of $3,000 a month and functions on both x86_64 and ARM64 architectures.
“Banshee Stealer targets a wide array of browsers, digital currency wallets, and approximately 100 browser extensions, solidifying its position as a flexible and risky menace,” Elastic Security Labs stated in a report on Thursday.
The internet browsers and crypto wallets singled out by the malware include Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, and Ledger.
It’s also geared towards extracting system details and data from iCloud Keychain passwords and Notes, as well as integrating a myriad of anti-analysis and anti-debugging mechanisms to identify if it’s functioning in a simulated environment in a bid to elude identification.
Moreover, it employs the CFLocaleCopyPreferredLanguages API to prevent infecting systems where Russian serves as the primary language.
Similar to other macOS malware varieties like Cuckoo and MacStealer, Banshee Stealer also uses osascript to present a fictitious password prompt to deceive users into revealing their system passwords for privilege escalation.
Among its other notable features is the capacity to gather data from assorted files with .txt, .docx, .rtf, .doc, .wallet, .keys, and .key extensions from the Desktop and Documents directories. The information acquired is then sent out in a ZIP archive format to a distant server (“45.142.122[.]92/send/”).
“Given the mounting focus of cyber delinquents on macOS, Banshee Stealer underscores the escalating occurrence of macOS-specific malware,” Elastic mentioned.
This revelation comes as Hunt.io and Kandji elaborated on another macOS filcher variant that deploys SwiftUI and Apple’s Open Directory APIs to seize and authenticate passwords input by the user in a deceptive prompt displayed to wrap up the installation process.
“The process starts by running a Swift-based dropper that pops up a counterfeit password prompt to trick users,” Broadcom-owned Symantec noted. “Post gathering credentials, the malware verifies them through the OpenDirectory API and subsequently downloads and executes nefarious scripts from a command-and-control server.”
This progression also comes in the wake of the persistent emergence of novel Windows-based stealers such as Flame Stealer, even as fraudulent websites posing as OpenAI’s text-to-video artificial intelligence (AI) tool, Sora, are being exploited to propagate Braodo Stealer.
On a different note, Israeli users are being victimized with phishing emails containing RAR archive attachments mimicking Calcalist and Mako to dispense Rhadamanthys Stealer.
About Author
