This analysis of BANSHEE Stealer reveals a sophisticated macOS-based malware (sold for $3,000) developed by Russian threat actors, targeting both x86_64 and ARM64 architectures. BANSHEE Stealer is designed to collect a wide range of data from infected systems, including browser history, cookies, logins, cryptocurrency wallets, and around 100 browser extensions. The malware employs basic anti-analysis techniques, such as debugging and virtualization detection using the sysctl API and system profiling commands, and avoids infecting systems set to the Russian language.
It uses AppleScripts for tasks like muting system sound, phishing for user passwords, and copying keychain data. The stolen data is then compressed, XOR-encrypted, Base64-encoded, and exfiltrated to a remote server.
BANSHEE Stealer targets nine browsers for browser data collection—Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari - extracting history, cookies, and login credentials. Interestingly, it focuses on Safari cookies using an AppleScript script, while other browsers have a broader range of data collected. The malware also scans for around 100 browser plugins, saving the data in a specified temporary directory.
BANSHEE Stealer targets wallets like Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger. It copies wallet-related files to a temporary directory for later exfiltration. The malware's functionality is structured in several C++ files, including Controller. cpp, which manages core tasks like anti-debugging measures using the sysctl API, language checks via CFLocaleCopyPreferredLanguages, and exfiltration processes.
The malware's exfiltration method involves compressing the collected data into a ZIP file using the ditto command, followed by XOR encryption and Base64 encoding. The resulting file is then exfiltrated via an HTTP POST request to a command-and-control server using the cURL command.