Threat Research

macOS Stealers: Technical Analysis

CTI
macOS Stealers: Technical Analysis

Banshee is a macOS-native stealer offered as a MaaS that phishes the user’s login password via a fake System Preferences dialog to decrypt the Keychain and harvest browser credentials, cookies, notes, and targeted files before quickly exfiltrating them. It validates passwords with dscl in real-time, collects Keychain plus browser profiles, stages data under a temp folder, XOR-encrypts a ZIP archive, and POSTS it to a hardcoded C2. #Banshee #Keychain

Keypoints

  • Banshee is a macOS-native infostealer written in Objective-C with ARM64/x86_64 support, marketed as MaaS for about $3,000/month.
  • Primary attack vector is a phishing dialog shown via osascript that asks for the macOS login password, which is validated in real-time using dscl to ensure workable credentials.
  • The stealer grabs the login.keychain-db plus browser profile data from eight browsers (Chromium-based + Firefox), enabling offline decryption of saved passwords when combined with the phished password.
  • File grabber uses AppleScript to copy selected file types (Desktop/Documents), Safari cookies, and Apple Notes, and attempts TCC resets to repeatedly prompt for Automation permissions.
  • Anti-analysis checks include VM/debugger detection and region exclusions; exfiltration is a smash-and-grab ZIP of staged data XOR-encrypted with a 15-character key and sent via HTTP POST to a hardcoded C2.
  • No persistence is used—fast collection and exfiltration are prioritized, with cleanup behaviors that delete staging after network activity.
  • Detection recommendations focus on behavioral indicators: osascript password prompts, dscl authonly calls, repeated TCC resets, bulk file enumeration, and large outbound POSTs to /send/ endpoints.

MITRE Techniques

  • [T1059.002 ] Command and Scripting Interpreter – AppleScript used for dialogs, file operations, and audio muting (‘display dialog “To launch the application, you need to update the system settings nnPlease enter your password.” with title “System Preferences” with icon caution default answer “” giving up after 30 with hidden answer’).
  • [T1059.004 ] Command and Scripting Interpreter – Unix shell commands used for dscl, tccutil, ditto and other orchestration (‘dscl /Local/Default -authonly %@ %@’).
  • [T1555.001 ] Credentials from Password Stores – Keychain theft by copying login.keychain-db for offline decryption (‘login.keychain-db’).
  • [T1555.003 ] Credentials from Password Stores – Browser credential theft by collecting Login Data and key4.db to extract saved passwords and keys (‘Login Data’ and ‘key4.db’).
  • [T1539 ] Steal Web Session Cookie – Cookie databases and Safari cookie files exfiltrated (‘Cookies.binarycookies’).
  • [T1056.002 ] Input Capture – GUI Input Capture via a fake, masked password dialog created with osascript (‘with hidden answer’).
  • [T1082 ] System Information Discovery – system_profiler invoked to collect OS/hardware details (‘system_profiler SPSoftwareDataType SPHardwareDataType’).
  • [T1016 ] System Network Configuration Discovery – Use of public IP/geolocation APIs to enumerate external IP and geolocation (‘freeipapi.com’).
  • [T1497.001 ] Virtualization/Sandbox Evasion – VM and debugger detection checks performed to evade analysis (‘VM/debugger detection’).
  • [T1027 ] Obfuscated Files or Information – Use of XOR-based encryption on staged archives as a lightweight anti-signature measure (‘XOR encryption with random 15-char key’).
  • [T1041 ] Exfiltration Over C2 Channel – HTTP POST to a /send/ endpoint carrying colon-delimited base64 and XOR key in JSON (‘POST /send/ HTTP/1.1’).
  • [T1560.001 ] Archive Collected Data – Collected data compressed using the ditto utility into a ZIP before encryption/exfiltration (‘ditto -c -k %@ %@.zip –norsrc –noextattr’).
  • [T1070.004 ] Indicator Removal on Host – Cleanup behavior removing staging directories after network activity (‘Bulk deletion of temp directories after network activity’).
  • [T1106 ] Native API – Use of Objective-C runtime and Foundation APIs to implement native macOS behavior and capabilities (‘Written in Objective-C with native ARM64/x86_64 support’).

Indicators of Compromise

  • [C2 URL / IP ] Hardcoded command-and-control endpoint used for exfiltration – http://45.1d42.1d22.92/send/ (configured REMOTE_IP), and similar hardcoded C2 strings in builds.
  • [Domain ] External services contacted for IP/geolocation – freeipapi.com, api.ipify.org.
  • [File names ] Staged stolen artifacts and targets – login.keychain-db, Cookies.binarycookies, NoteStore.sqlite (and many browser DB names like ‘Login Data’ and ‘key4.db’).
  • [Browser extension IDs ] Targeted wallet/extension artifacts located in browser profiles – nkbihfbeogaeaoehlefnkodbefgpgknn (MetaMask), bfnaelmomeimhlpmgjnjophhpkkoljpa (Phantom).
  • [Temporary path patterns ] Staging directory and layout under temp – $TMPDIR// with subfolders like Browsers/Chrome_Default/ and FileGrabber/ (contains cookies, documents, seed phrases).
  • [Static configuration strings ] Hardcoded build and config identifiers embedded in binaries – BUILD_ID “T0JVJJy6tgNdmygyRfN0eRaIiZq2uw”, ENCRYPTION_KEY “rt” (compile-time macros).

Read more: https://deceptiq.com/blog/macos-stealers-technical-analysis

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint