Cybersecurity researchers have discovered a new malware-stealing malware specifically designed for Apple’s macOS systems.
Under the name Banshee Stealer, it is offered for sale in the cybercriminal underground for a hefty price of $3,000 per month and runs on both x86_64 and ARM64 architectures.
“Banshee Stealer targets a wide range of browsers, cryptocurrency wallets and around 100 browser extensions, making it a very versatile and dangerous threat” – Elastic Security Labs said in a report on Thursday.
Web browsers and crypto wallets targeted by the malware include Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, and Ledger.
It is also equipped to collect system information and data from iCloud Keychain passwords and notes, and includes a number of anti-analysis and debugging measures to determine if it is operating in a virtual environment in an attempt to avoid detection.
In addition, he uses CFLocaleCopyPreferredLanguages API to avoid infecting systems where Russian is the primary language.
Like other varieties of macOS malware, e.g Cuckoo and MacStealerBanshee Stealer also uses osascript to display a fake password to force users to enter their system passwords for elevation of privilege.
Other notable features include the ability to collect data from a variety of files matching the .txt, .docx, .rtf, .doc, .wallet, .keys, and .key extensions from the Desktop and Documents folders. The collected data is then sent in ZIP archive format to a remote server (“45.142.122(.)92/send/”).
“As macOS increasingly becomes a prime target for cybercriminals, Banshee Stealer highlights the growing surveillance of macOS-specific malware,” Elastic said.
Disclosures are made by both Hunt.io and Kandji in detail another strain of macOS piracy that uses SwiftUI and Apple’s Open Directory API to capture and verify passwords entered by the user in a fake prompt displayed to complete the installation process.
“It starts by launching a Swift-based dropper program that displays a fake password to trick users,” says Broadcom-owned Symantec. said. “Once the credentials are captured, the malware validates them using the OpenDirectory API, then downloads and executes malicious scripts from the command and control server.”
This development is also worthwhile continued emergence new Windows hacks like Flame stealereven as fake sites under the guise of OpenAI’s artificial intelligence (AI) tool for converting text to video, Soraare used for distribution Braodo Stealer.
Israeli users go separately purposeful with phishing emails containing RAR archive attachments impersonating Calcalist and Mako for delivery Kidnapper of Rhodamantis.
