Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Banshee Stealer macOS Malware Priced at $3,000 Per Month

Russian cybercriminals are advertising a new macOS malware, Banshee Stealer, capable of stealing passwords, browser data, and crypto wallets. 

Cybercriminals are advertising a new macOS malware that they claim is capable of stealing a wide range of data from compromised systems.

Named Banshee Stealer and believed to have been developed by Russian threat actors, the malware is advertised on cybercrime forums for $3,000 per month. Researchers at Elastic Security Labs, who published an analysis of the malware on Thursday, described it as a “steep monthly subscription”.

The malware is designed to collect the targeted user’s macOS password, information about the system’s hardware and software, keychain passwords, data from web browsers, and cryptocurrency wallets.

Banshee Stealer can target nine different browsers, including Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari. It can generally steal cookies, logins and browsing history, but from Safari only cookies can be collected. Elastic researchers also found that the malware targets data from roughly 100 browser plugins.

The malware also attempts to steal cryptocurrency wallets from the compromised system, including Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic and Ledger. 

Once the data is collected locally, it’s added to an archive file, which is encrypted and sent to the attacker’s server. 

Before initiating its data theft routine, Banshee Stealer checks the system for signs that it’s being analyzed by security researchers (it checks whether it’s being debugged or run in a virtual machine) and ensures that the compromised system’s language is not set to Russian.

However, Elastic researchers pointed out that the methods used for detection evasion are basic and Banshee Stealer can still be analyzed by advanced sandboxes and malware analysts. 

Advertisement. Scroll to continue reading.

Threat actors can use one of several methods to deploy malware on macOS devices, including by disguising it as free content hosted on third-party sites, through malvertising, poisoned developer projects, open source package repositories, trojanized applications, exploits and watering hole attacks, and supply chain attacks.

Some of these delivery methods are easier to implement but require a high degree of social engineering, while others are more silent but require more sophistication and resources.

“Despite its potentially dangerous capabilities, the malware’s lack of sophisticated obfuscation and the presence of debug information make it easier for analysts to dissect and understand,” Elastic Security Labs concluded in its blog post.

“While Banshee Stealer is not overly complex in its design, its focus on macOS systems and the breadth of data it collects make it a significant threat that demands attention from the cybersecurity community,” it added.

Related: New MacOS Malware Linked to North Korean Hackers

Related: New hVNC macOS Malware Advertised on Hacker Forum

Related: Iranian Cyberspies Target US-Based Think Tank With New macOS Malware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights