Threat Research

Unraveling the BANSHEE Infostealer: Insights from Elastic Security Labs

Securonix

BANSHEE Stealer is a macOS infostealer discovered in August 2024, reportedly developed by Russian threat actors, targeting system information, browser data, and cryptocurrency wallets. Priced at $3,000 per month, it highlights the growing trend of malware aiming at macOS targets. #BANSHEE #macOS #Infostealer #RussianThreatActors #ElasticSecurityLabs #BeyondTheWail #CryptocurrencyWallets

Keypoints

  • Emergence: BANSHEE Stealer was introduced on an underground forum in August 2024.
  • Targeted Platforms: Designed to operate on both macOS x86_64 and ARM64 architectures.
  • High Subscription Cost: Monthly subscription priced at $3,000, significantly higher than Windows-based stealers.
  • Data Collection: Targets system information, browser data, and cryptocurrency wallets.
  • Versatility: Capable of collecting data from around 100 browser extensions and multiple browsers.
  • Evading Detection: Utilizes basic techniques for debugging and virtualization detection.
  • Password Phishing: Employs an Osascript prompt to collect user passwords.
  • Exfiltration Method: Compresses and encrypts collected data before sending it to a remote server.

MITRE Techniques

  • [T1003] Credential Dumping – Collects user passwords using an Osascript prompt. ‘Collects user passwords using an Osascript prompt.’ ‘Validates passwords using the dscl command.’
  • [T1213] Data from Information Repositories – Collects data from various browsers and cryptocurrency wallets. ‘Collects data from various browsers and cryptocurrency wallets.’
  • [T1041] Exfiltration Over Command and Control Channel – Uses cURL to send collected data to a remote server. ‘Uses cURL to send collected data to a remote server.’
  • [T1082] System Information Discovery – Gathers system information using system_profiler commands. ‘Gathers system information using system_profiler commands.’
  • [T1055] Process Injection – Executes AppleScripts to perform various tasks, including data collection. ‘Executes AppleScripts to perform various tasks, including data collection.’

Indicators of Compromise

  • [SHA-256] BANSHEE stealer hash – 11aa6eeca2547fcf807129787bec0d576de1a29b56945c5a8fb16ed8bf68f782
  • [IPv4] C2 server – 45.142.122.92

Read more: https://www.elastic.co/security-labs/beyond-the-wail

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint