Banshee Rust Rewrite?

Infostealers targeting macOS are evolving, with a new Rust-based infostealer exhibiting behaviors similar to the leaked Banshee infostealer. Continuous monitoring is crucial due to these adaptive threats. Affected: macOS systems, browsers, cryptocurrency wallets

Keypoints :

A new infostealer written in Rust was identified and exhibits similar behaviors to the leaked Objective-C infostealer “Banshee”.
The infostealer targets browsers, wallets, and extensions.
Function names in the Rust application suggest similarities with the Banshee source code.
The Rust application captures launch arguments to initialize its operations.
Detection methods for virtual machines and debuggers were incorporated in the infostealer’s operations.
The application is currently connecting to localhost, indicating it may still be in development.
Similarities in targeted file paths and extension IDs between the Rust infostealer and Banshee were observed.
The analysis emphasizes the need for vigilance as macOS malware evolves.

MITRE Techniques :

Execution (T1203): The application executes commands such as “killall Terminal” using the Command::new() function.
Credential Dumping (T1003): Collecting wallet information from targeted paths to harvest sensitive data.
Obfuscated Files or Information (T1027): Uses similar function names and structures as Banshee, making it harder to detect.
Exfiltration Over Command and Control Channel (T1041): The application connects to localhost for data exfiltration.
Query System Information (T1002): Executes commands to gather details about the system and check for virtual machine environments.