Welcome to our

Cyber Security News Aggregator

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

First slide label

Some representative placeholder content for the first slide.

Second slide label

Some representative placeholder content for the second slide.

Third slide label

Some representative placeholder content for the third slide.

2024-08-14 OSX BANSHEE infostealer Samples

published on 2024-09-02 16:42:00 UTC by Mila
Content:

2024-08-14 Elastic: Beyond the wail: deconstructing the BANSHEE infostealer

This analysis of BANSHEE Stealer reveals a sophisticated macOS-based malware (sold for $3,000) developed by Russian threat actors, targeting both x86_64 and ARM64 architectures. BANSHEE Stealer is designed to collect a wide range of data from infected systems, including browser history, cookies, logins, cryptocurrency wallets, and around 100 browser extensions. The malware employs basic anti-analysis techniques, such as debugging and virtualization detection using the sysctl API and system profiling commands, and avoids infecting systems set to the Russian language.

It uses AppleScripts for tasks like muting system sound, phishing for user passwords, and copying keychain data. The stolen data is then compressed, XOR-encrypted, Base64-encoded, and exfiltrated to a remote server.

BANSHEE Stealer targets nine browsers for browser data collection—Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari - extracting history, cookies, and login credentials. Interestingly, it focuses on Safari cookies using an AppleScript script, while other browsers have a broader range of data collected. The malware also scans for around 100 browser plugins, saving the data in a specified temporary directory.

BANSHEE Stealer targets wallets like Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger. It copies wallet-related files to a temporary directory for later exfiltration. The malware's functionality is structured in several C++ files, including Controller. cpp, which manages core tasks like anti-debugging measures using the sysctl API, language checks via CFLocaleCopyPreferredLanguages, and exfiltration processes.

The malware's exfiltration method involves compressing the collected data into a ZIP file using the ditto command, followed by XOR encryption and Base64 encoding. The resulting file is then exfiltrated via an HTTP POST request to a command-and-control server using the cURL command.

Download

Download. (Email me if you need the password)

d556042c8a77ba52d39e211f208a27fe52f587047140d9666bbeca6032eae604 localfile~ x64

File Information

├── 11aa6eeca2547fcf807129787bec0d576de1a29b56945c5a8fb16ed8bf68f782 localfile~ x64

└── Variants

├── 7a6c0b683961869fc159bf8da1b4c86bc190ee07b0ad5eb09f99deaac4db5c69 localfile~ x64

└──

Article: 2024-08-14 OSX BANSHEE infostealer Samples - published 2 months ago.

https://contagiodump.blogspot.com/2024/09/2024-08-14-osx-banshee-infostealer.html
Published: 2024 09 02 16:42:00
Received: 2024 09 02 16:49:30
Feed: contagio
Source: contagio
Category: Cyber Security
Topic: Cyber Security
Views: 3