New macOS Malware Banshee Stealer Hits Web Browsers

Banshee Stealer is designed to operate on both x86_64 and ARM64 architectures, providing broad compatibility across macOS devices. Its primary function is to steal sensitive data, including passwords, cookies, browsing history, and cryptocurrency wallet information. The malware targets a wide range of web browsers such as Safari, Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Vivaldi, Yandex, Opera, and OperaGX. It also focuses on cryptocurrency wallets like Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, and Ledger.

One of the standout features of Banshee Stealer is its use of the macOS osascript utility to display fake password prompts, tricking users into revealing their system credentials. This method allows the malware to escalate privileges, giving it deeper access to the infected system. Additionally, it employs various anti-analysis and anti-debugging techniques to evade detection, particularly by checking if it's running in a virtual environment. It also uses a script to avoid infecting systems where Russian is the primary language, indicating a strategic evasion tactic aimed at avoiding scrutiny from Russian cybersecurity entities.

How to detect if you have the Banshee Stealer malware

Detecting Banshee Stealer on your macOS system requires a combination of vigilance and the use of specialized tools. Here are some key steps to identify if your system might be compromised:

• Unexpected Password Prompts: Banshee Stealer is known to use the osascript utility to display fake password prompts. If you notice any unusual requests for your system password, especially if they appear out of context, this could be a red flag​ 
• System Slowdowns: Malware often consumes system resources, leading to unexplained slowdowns or crashes. If your Mac has started to perform poorly without a clear reason, this could indicate malware activity
• Cookie and History Theft: Since Banshee Stealer targets cookies and browsing history, if you notice missing history entries or unexplained logouts from websites, it might indicate that your data has been stolen​
• Monitor Network Traffic: Advanced users can use tools like Little Snitch or Wireshark to monitor network traffic. Banshee Stealer exfiltrates data to remote servers, so detecting unusual outgoing connections could help identify its presence
• Use the Activity Monitor on your Mac to look for unfamiliar or suspicious processes. Banshee Stealer may be running processes that you don't recognize. Pay attention to anything consuming a lot of CPU or memory that doesn't correspond to software you knowingly installed​

Preventive measures

To mitigate the risk posed by Banshee Stealer, users are advised to follow several best practices. First, always ensure that you install software and browser extensions exclusively from trusted sources, such as reputable developers and official marketplaces. This minimizes the risk of inadvertently introducing malware to your system. 

Regularly updating your macOS and all installed applications is also essential, as software updates often include patches for vulnerabilities that could otherwise be exploited by malicious actors. In addition to these precautions, it's vital to employ reliable security tools, such as reputable antivirus and anti-malware software, to detect and block potential threats before they can cause harm.

Exercise caution when dealing with emails and links, especially from unknown sources, as these can often be vehicles for malware delivery. Finally, regularly back up important data to secure locations, ensuring that you can recover your files in case of a malware infection or other data loss events. By following these steps, you can significantly reduce the risk of falling victim to malware like Banshee Stealer.