Cybersecurity researchers have uncovered new stealer malware that is designed to particularly goal Apple macOS methods.
Dubbed Banshee Stealer, it is provided on the market within the cybercrime underground for a steep worth of $3,000 a month and works throughout each x86_64 and ARM64 architectures.
“Banshee Stealer targets a variety of browsers, cryptocurrency wallets, and round 100 browser extensions, making it a extremely versatile and harmful menace,” Elastic Safety Labs stated in a Thursday report.
The net browsers and crypto wallets focused by the malware comprise Safari, Google Chrome, Mozilla Firefox, Courageous, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, Exodus, Electrum, Coinomi, Guarda, Wasabi Pockets, Atomic, and Ledger.
It is also outfitted to reap system info and information from iCloud Keychain passwords and Notes, in addition to incorporate a slew of anti-analysis and anti-debugging measures to find out if it is operating in a digital surroundings in an try and evade detection.
Moreover, it makes use of the CFLocaleCopyPreferredLanguages API to keep away from infecting methods the place Russian is the first language.
Like different macOS malware strains akin to Cuckoo and MacStealer, Banshee Stealer additionally leverages osascript to show a pretend password immediate to trick customers into getting into their system passwords for privilege escalation.
Among the many different notable options embody the flexibility to gather information from varied recordsdata matching .txt, .docx, .rtf, .doc, .pockets, .keys, and .key extensions from the Desktop and Paperwork folders. The gathered information is then exfiltrated in a ZIP archive format to a distant server (“45.142.122[.]92/ship/”).
“As macOS more and more turns into a major goal for cybercriminals, Banshee Stealer underscores the rising observance of macOS-specific malware,” Elastic stated.
The disclosure comes as Hunt.io and Kandji detailed one other macOS stealer pressure that leverages SwiftUI and Apple’s Open Listing APIs for capturing and verifying passwords entered by the consumer in a bogus immediate displayed to be able to full the set up course of.
“It begins by operating a Swift-based dropper that shows a pretend password immediate to deceive customers,” Broadcom-owned Symantec stated. “After capturing credentials, the malware verifies them utilizing the OpenDirectory API and subsequently downloads and executes malicious scripts from a command-and-control server.”
This growth additionally follows the continued emergence of recent Home windows-based stealers akin to Flame Stealer, at the same time as pretend websites masquerading as OpenAI’s text-to-video synthetic intelligence (AI) instrument, Sora, are getting used to propagate Braodo Stealer.
Individually, Israeli customers are being focused with phishing emails containing RAR archive attachments that impersonate Calcalist and Mako to ship Rhadamanthys Stealer.