Beyond the wail: deconstructing the BANSHEE infostealer

Aug. 16, 2024, 2:50 p.m.

Description

This analysis details the BANSHEE malware, a macOS-based infostealer that targets system information, browser data, and cryptocurrency wallets. Developed by Russian threat actors, it operates across macOS x86_64 and ARM64 architectures. The malware is designed to evade detection through anti-debugging measures and checks for virtualization and language settings. It collects user passwords, system information, browser data from various browsers, and data from around 100 browser extensions. Additionally, it targets cryptocurrency wallets like Exodus, Electrum, and Ledger. The collected data is compressed, encrypted, and exfiltrated to a remote server.

External References

https://www.elastic.co/security-labs/beyond-the-wail
https://otx.alienvault.com/pulse/66bf5dcda581acdf5f0675b7
Tags
infostealer
macos
2024-08-16
c++
banshee stealer
sysctl api

Date

  • Created: Aug. 16, 2024, 2:10 p.m.
  • Published: Aug. 16, 2024, 2:10 p.m.
  • Modified: Aug. 16, 2024, 2:50 p.m.

Indicators

  • 11aa6eeca2547fcf807129787bec0d576de1a29b56945c5a8fb16ed8bf68f782
  • 45.142.122.92
Download all indicators here!

Attack Patterns

  • BANSHEE Stealer
  • Russian threat actors