The infostealer targets such a broad range of data that mac users can no longer be considered a minority target

Russian threat actors have apparently started using a new macOS malware to steal vital information such as passwords, browser data, and cryptocurrency wallets on macOS x86_64 and ARM64 architectures. 

First noticed after it was put on sale in the Dark Web on August 12, 2024, as “BANSHEE Stealer”, the malware is designed to target a wide range of browsers (Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera and OperaGX), cryptocurrency wallets (Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, Ledger), and around 100 browser extensions.

Other traits of the malware, noted by cyber researchers, include the following details:

  • The current version of BANSHEE Stealer collects only cookies from the Safari browser.
  • The stealer executes AppleScripts, writing them to the same file /tmp/tempAppleScript.
  • Basic techniques are used to evade detection, and it detects debugging by utilizing the sysctl API.
  • It parses the user-preferred canonicalized language returned from the CFLocaleCopyPreferredLanguages API and looks for the string “ru” to avoid infecting systems where Russian is the primary language.
  • Indicators of compromise:
    • Crypto wallet file access by an unsigned or untrusted binary.
    • Web browser credential data accessed by an unsigned or untrusted process.
    • Osascript payload drop and execute.
    • Potential credentials phishing via Osascript.
  • The stealer malware represents a growing number of macOS threats as the latter becomes a more attractive target.

According to the team from Elastic Security Labs that disclosed findings about BANSHEE Stealer, the malware’s lack of sophisticated obfuscation and the presence of debug information had made it easier for analysts to dissect and understand.

While BANSHEE Stealer is not overly complex in its design, its focus on macOS systems and the breadth of data it collects make it a significant threat that demands attention from the cybersecurity community, said the researchers.