Cybersecurity researchers have discovered a new stealer malware specifically designed for Apple macOS systems.
Named Banshee Stealer, this malware is being sold on the cybercrime market for $3,000 per month and is compatible with both x86_64 and ARM64 architectures.
“Banshee Stealer is highly versatile, targeting numerous browsers, cryptocurrency wallets, and about 100 browser extensions,” reported researcher.
The malware affects a wide range of browsers and crypto wallets, including Safari, Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, as well as wallet applications like Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, and Ledger.
Banshee Stealer also collects system information and data from iCloud Keychain passwords and Notes. It includes various anti-analysis and anti-debugging techniques to detect if it’s operating in a virtual environment, helping it evade detection.
Additionally, the malware uses the CFLocaleCopyPreferredLanguages API to avoid infecting systems where Russian is the primary language.
Similar to other macOS malware like Cuckoo and MacStealer, Banshee Stealer employs osascript to show a fake password prompt, tricking users into entering their system passwords to gain elevated privileges.
Noteworthy features of Banshee Stealer include its ability to gather data from files with extensions like .txt, .docx, .rtf, .doc, .wallet, .keys, and .key from the Desktop and Documents folders. This collected data is then compressed into a ZIP file and sent to a remote server at “45.142.122[.]92/send/”.
As macOS becomes a more prominent target for cybercriminals, Banshee Stealer highlights the growing trend of macOS-specific malware, according to the report.
This revelation comes alongside other findings, including a new macOS stealer that uses SwiftUI and Apple’s Open Directory APIs to capture and verify user passwords through a fake prompt during installation. Researcher reported that this malware runs a Swift-based dropper to display a counterfeit password prompt, then verifies the credentials with the OpenDirectory API and downloads malicious scripts from a command-and-control server.
The emergence of Banshee Stealer also follows the development of new Windows-based stealers like Flame Stealer and fake sites posing as OpenAI’s text-to-video tool, Sora, to spread Braodo Stealer. Additionally, Israeli users are being targeted with phishing emails containing RAR archives disguised as Calcalist and Mako to distribute Rhadamanthys Stealer.
To protect your macOS system from the Banshee Stealer malware, it’s crucial to avoid downloading software from untrusted sources. Ensure your operating system and all applications are regularly updated to mitigate vulnerabilities. Employ robust security tools that offer real-time scanning and monitoring, and be cautious of phishing attempts that may trick you into revealing personal information or installing malicious software.