Cybercriminals are advertising a new macOS malware that they claim is capable of stealing a wide range of data from compromised systems.
Named Banshee Stealer and believed to have been developed by Russian threat actors, the malware is advertised on cybercrime forums for $3,000 per month. Researchers at Elastic Security Labs, who published an analysis of the malware on Thursday, described it as a “steep monthly subscription”.
The malware is designed to collect the targeted user’s macOS password, information about the system’s hardware and software, keychain passwords, data from web browsers, and cryptocurrency wallets.
Banshee Stealer can target nine different browsers, including Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari. It can generally steal cookies, logins and browsing history, but from Safari only cookies can be collected. Elastic researchers also found that the malware targets data from roughly 100 browser plugins.
The malware also attempts to steal cryptocurrency wallets from the compromised system, including Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic and Ledger.
Once the data is collected locally, it’s added to an archive file, which is encrypted and sent to the attacker’s server.
Before initiating its data theft routine, Banshee Stealer checks the system for signs that it’s being analyzed by security researchers (it checks whether it’s being debugged or run in a virtual machine) and ensures that the compromised system’s language is not set to Russian.
However, Elastic researchers pointed out that the methods used for detection evasion are basic and Banshee Stealer can still be analyzed by advanced sandboxes and malware analysts.
Threat actors can use one of several methods to deploy malware on macOS devices, including by disguising it as free content hosted on third-party sites, through malvertising, poisoned developer projects, open source package repositories, trojanized applications, exploits and watering hole attacks, and supply chain attacks.
Some of these delivery methods are easier to implement but require a high degree of social engineering, while others are more silent but require more sophistication and resources.
“Despite its potentially dangerous capabilities, the malware’s lack of sophisticated obfuscation and the presence of debug information make it easier for analysts to dissect and understand,” Elastic Security Labs concluded in its blog post.
“While Banshee Stealer is not overly complex in its design, its focus on macOS systems and the breadth of data it collects make it a significant threat that demands attention from the cybersecurity community,” it added.
Related: New MacOS Malware Linked to North Korean Hackers
Related: New hVNC macOS Malware Advertised on Hacker Forum
Related: Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
