Banshee Stealer: macOS malware targets browser data and crypto wallets

The malware "Banshee Stealer" for macOS has been offered in underground forums since August 2024. This was reported on Thursday by security researchers from Elastic Security Labs, a division of Elastic, which is known for search and data analysis products such as Elasticsearch.

According to a screenshot, cybercriminals can rent the malware as a service for 3,000 US dollars per month. According to Elastic, the price is significantly higher than for comparable Windows malware such as AgentTesla. This suggests an increasing demand for macOS malware.

The researchers suspect that Russian actors are the originators of Banshee because an analysis showed that the infection is aborted if Russian is set as the system language. Banshee also remains inactive in a virtual machine.

Gateway and tapped data

Similar to the well-known MacStealer malware, Banshee Stealer also uses the shell command "osascript" and an AppleScript to display a fake - supposedly legitimate - password prompt. This is intended to trick users into entering the system password in order to give the malware far-reaching privileges. Banshee does not exploit any loopholes in macOS itself.

The malware collects a lot of system information about the hardware and installed software. It also captures the Notes app database, some file formats on the desktop and in the Documents folder, as well as Safari cookies. For nine other browsers - such as Firefox, Chrome, Edge and Brave - Banshee not only grabs cookies, but also the browsing history, logins and data from around 100 browser extensions, according to the analysis.

The login keychain (login.keychain-db) is also part of the prey. As this is usually protected with the (previously captured) user password, the criminals can also access the passwords stored in it. The separately secured iCloud keychain (or the "Local Objects" area) is apparently spared due to a lack of prospects of success. This is where Safari, for example, stores the access data for websites and the system also stores passkeys there.

Banshee Stealer also copies data from the crypto wallets Atomic, Coinomi, Electrum, Exodus, Guarda, Ledger and Wasabi Wallet.

The researchers do not consider Banshee to be overly complex, but the amount of data collected and sent to a command-and-control server is considerable.

Spread and protective measures

It is not yet clear how widely the malware is already in circulation and how it reaches potential victims.

Elastic has published a Yara rule in the report to detect Banshee Stealer. This can be used in the open source tool Yara (see also"Writing malware signatures yourself with Yara" on heise online) and with anti-virus software. The XProtect integrated in macOS also uses Yara rules. As of today (17.8.2024), Apple has not yet delivered an update. As far as we know, the rules cannot be added manually. Mac users will therefore have to wait until Apple takes action.

However, the risk is manageable, as Banshee does not exploit any security vulnerabilities and relies on the human factor. The usual advice applies as a protective measure: Make sure downloads come from legitimate sources and be wary of unexpected email attachments or unannounced files sent via Messeneger. If software asks you to enter your user password, consider whether you really need the rights it grants you. If in doubt, consult the documentation, ask the developer directly or consult a more experienced person.

(wre)