Banshee Stealer (Infostealer) – Malware

Overview

The BANSHEE infostealer, a sophisticated macOS-based malware, emerged in August 2024 and has rapidly gained attention within the cybersecurity community. Developed by Russian threat actors, BANSHEE is designed to target macOS systems, exploiting both the x86_64 and ARM64 architectures. It is an advanced infostealer that goes beyond the basic capabilities of similar malware, offering attackers the ability to gather a wide range of sensitive information from the compromised system. This includes system details, browser data, and cryptocurrency wallets, making it a highly versatile and dangerous threat for users in both personal and professional settings. As macOS devices become increasingly popular among users worldwide, the appearance of malware like BANSHEE highlights a critical shift in the landscape of cyber threats, especially as macOS platforms historically received less focus from cybercriminals compared to Windows-based systems. The malware, which is reportedly sold on underground forums with a hefty subscription price of $3,000 per month, showcases the evolving nature of cybercrime. Unlike its predecessors, which mainly targeted Windows environments, BANSHEE is built to capitalize on the growing popularity of macOS systems. With its ability to extract data from popular web browsers such as Chrome, Firefox, and Safari, as well as cryptocurrency wallets like Exodus and Electrum, BANSHEE poses a significant threat to individuals and organizations alike. The malware’s capability to collect a broad array of data, from sensitive login credentials to detailed system information, underscores the increasing complexity of attacks targeting personal and financial information.

Targets

Individuals Information

How they operate

Infection and Execution: Social Engineering at the Forefront

The BANSHEE Stealer typically spreads through phishing campaigns, which rely on social engineering to lure victims into downloading and executing malicious files. These files often appear as benign software updates or utilities, enticing users to open them. Once executed, BANSHEE establishes its foothold on the infected system. The malware is known to employ a variety of techniques to execute its payload, including leveraging the AppleScript scripting language. This allows the malware to perform various tasks without triggering alarms, like downloading additional components, initiating the theft of data, and enabling persistence mechanisms. Upon execution, BANSHEE Stealer uses a blend of legitimate macOS functionalities and malicious activities to collect data. One notable technique is the use of password prompts, which mimic legitimate macOS prompts for password entry. The malware captures these inputs and steals user credentials, including any passwords typed in these deceptive dialogs. Furthermore, BANSHEE also targets the macOS Keychain, which stores saved passwords for websites, applications, and network services. By gaining access to this repository, the malware can exfiltrate credentials from various sources, enhancing its ability to compromise accounts.

Persistence and Privilege Escalation: Maintaining Control

BANSHEE Stealer also employs various methods to ensure persistence on the infected system. By leveraging macOS’s “Launch Agents,” the malware can ensure that it restarts automatically every time the system boots up, maintaining access without needing to be re-executed by the attacker. This tactic ensures that BANSHEE can remain active on the system, even after user reboots or attempts to remove it. Additionally, while not explicitly exploiting vulnerabilities in the operating system, BANSHEE Stealer uses clever social engineering techniques to elevate its privileges. By triggering prompts for sensitive system information, BANSHEE can trick users into granting higher privileges, which allows it to access more valuable data and perform tasks that would otherwise be restricted by system security policies. This type of social engineering is a hallmark of modern malware, where user actions are manipulated to bypass technical defenses.

Evasion Techniques: Hiding from Detection

To avoid detection, BANSHEE Stealer incorporates several evasion techniques. The malware frequently obfuscates its code and communications to prevent detection by security software and system monitoring tools. This includes the use of XOR encryption and base64 encoding to obscure exfiltrated data. The encrypted data is then transmitted over HTTP to a remote command-and-control (C2) server, where it is decrypted and accessed by the attackers. In addition to obfuscation, BANSHEE is capable of masquerading as legitimate macOS processes. This allows it to blend into the system’s normal operation, making it harder for antivirus and endpoint detection solutions to identify its presence. The malware may also check for debugger programs or sandbox environments, using macOS system APIs like sysctl to detect whether it’s being analyzed in a virtualized or controlled environment. If such conditions are met, BANSHEE may alter its behavior or stop execution entirely to avoid analysis.

Data Collection and Exfiltration: Targeting Valuable Information

Once BANSHEE Stealer has established itself on the system, its primary goal is to collect sensitive data. The malware targets a wide array of valuable information, including user credentials, browser history, cookies, saved passwords, and sensitive files stored on the infected machine. This data is typically gathered from various web browsers, including Chrome, Firefox, and Safari, as well as from browser extensions and saved login credentials. To extract this data, BANSHEE employs input capture techniques like keylogging and simulating user interactions with system dialogs. In some cases, it may prompt the victim to manually enter sensitive information, such as passwords or other personal details, by using deceptive login prompts. After gathering this data, the malware encrypts it and exfiltrates it over a command-and-control (C2) channel, typically using HTTPS requests or file uploads.

Impact: Long-Term Consequences

While BANSHEE Stealer does not actively destroy or corrupt files, its impact can be devastating. The exfiltrated data, including usernames, passwords, and other sensitive information, can lead to significant financial loss, identity theft, and other forms of cybercrime. The malware’s ability to steal personal data, while remaining hidden for extended periods, allows attackers to harvest valuable information from multiple victims over time. This persistence increases the potential for long-term consequences, especially if the stolen credentials are used for further attacks like account takeovers or fraud.

MITRE Tactics and Techniques

1. Initial Access

Phishing (T1566): BANSHEE Stealer may initially be delivered via phishing attacks, often relying on deceptive links or malicious files to gain access to the system.

2. Execution

Command and Scripting Interpreter (T1059): BANSHEE uses AppleScript commands to execute various tasks on the compromised system, including gathering system information and interacting with the user for password phishing. OS Credential Dumping (T1003): The malware attempts to collect user credentials by triggering password prompts and then capturing the entered passwords, which may be used to decrypt stored passwords in the macOS keychain.

3. Persistence

Launch Agents (T1543): BANSHEE may install persistent components on the system, ensuring it can restart and maintain access after system reboots.

4. Privilege Escalation

Exploitation for Privilege Escalation (T1068): While BANSHEE doesn’t appear to exploit a specific vulnerability, it uses social engineering (password prompts) to elevate its privileges and access sensitive data.

5. Defense Evasion

Obfuscated Files or Information (T1027): BANSHEE uses basic obfuscation techniques like XOR encryption and base64 encoding to hide exfiltrated data before sending it to command-and-control (C2) servers. Masquerading (T1036): The malware uses techniques like hiding its activity under legitimate system processes or mimicking normal operations to avoid detection. Debugger Detection (T1622): BANSHEE checks for debuggers using macOS APIs such as sysctl to ensure it is not running in a sandbox environment.

6. Collection

Data from Information Repositories (T1213): BANSHEE collects system information, including user credentials, browser history, cookies, and files from several browsers and extensions. Input Capture (T1056): The malware collects sensitive information such as login credentials through keylogging or phishing prompts (e.g., prompting the user to enter a password).

7. Exfiltration

Exfiltration Over Command and Control Channel (T1041): BANSHEE exfiltrates stolen data over HTTP by sending it to its C2 server using the curl command after encrypting the data with XOR and base64 encoding. Exfiltration Over Other Network Medium (T1048): The malware may also use different exfiltration techniques depending on its configuration, such as file transfers or cloud-based storage services.

8. Impact

Data Destruction (T1485): Although BANSHEE does not explicitly destroy data, the theft of sensitive information can lead to significant financial and reputational damage, which is often the primary impact of data-stealing malware.  

References:

• Beyond the wail: deconstructing the BANSHEE infostealer