This analysis of BANSHEE Stealer reveals a sophisticated macOS-based malware (sold for $3,000) developed by Russian threat actors, targeting both x86_64 and ARM64 architectures. BANSHEE Stealer is designed to collect a wide range of data from infected systems, including browser history, cookies, logins, cryptocurrency wallets, and around 100 browser extensions. The malware employs basic anti-analysis techniques, such as debugging and virtualization detection using the sysctl API and system profiling commands, and avoids infecting systems set to the Russian language.
It uses AppleScripts for tasks like muting system sound, phishing for user passwords, and copying keychain data. The stolen data is then compressed, XOR-encrypted, Base64-encoded, and exfiltrated to a remote server.
BANSHEE Stealer targets nine browsers for browser data collection—Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari - extracting history, cookies, and login credentials. Interestingly, it focuses on Safari cookies using an AppleScript script, while other browsers have a broader range of data collected. The malware also scans for around 100 browser plugins, saving the data in a specified temporary directory.
BANSHEE Stealer targets wallets like Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger. It copies wallet-related files to a temporary directory for later exfiltration. The malware's functionality is structured in several C++ files, including Controller. cpp, which manages core tasks like anti-debugging measures using the sysctl API, language checks via CFLocaleCopyPreferredLanguages, and exfiltration processes.
The malware's exfiltration method involves compressing the collected data into a ZIP file using the ditto command, followed by XOR encryption and Base64 encoding. The resulting file is then exfiltrated via an HTTP POST request to a command-and-control server using the cURL command.
Download
d556042c8a77ba52d39e211f208a27fe52f587047140d9666bbeca6032eae604 localfile~ x64
File Information
├── 11aa6eeca2547fcf807129787bec0d576de1a29b56945c5a8fb16ed8bf68f782 localfile~ x64
└── Variants
├── 7a6c0b683961869fc159bf8da1b4c86bc190ee07b0ad5eb09f99deaac4db5c69 localfile~ x64
└──
No comments:
Post a Comment