{ "id": "4784b25d-f786-4745-9f6e-884928078d74", "created_at": "2026-04-06T00:06:28.04639Z", "updated_at": "2026-04-10T13:12:16.536848Z", "deleted_at": null, "sha1_hash": "e6dd07331004460cf28481d3090402349601c0c3", "title": "Beyond the wail: deconstructing the BANSHEE infostealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 941979, "plain_text": "Beyond the wail: deconstructing the BANSHEE infostealer\r\nBy Elastic Security Labs\r\nPublished: 2024-08-15 · Archived: 2026-04-05 16:23:43 UTC\r\nPreamble\r\nIn August 2024, a novel macOS malware named \"BANSHEE Stealer\" emerged, catching the attention of the\r\ncybersecurity community. Reportedly developed by Russian threat actors, BANSHEE Stealer was introduced on an\r\nunderground forum and is designed to function across both macOS x86_64 and ARM64 architectures.\r\nThis malware presents a severe risk to macOS users, targeting vital system information, browser data, and\r\ncryptocurrency wallets.\r\nWith a steep monthly subscription price of $3,000, BANSHEE Stealer stands out in the market, particularly\r\ncompared to known stealers like AgentTesla.\r\nAs macOS increasingly becomes a prime target for cybercriminals, BANSHEE Stealer underscores the rising\r\nobservance of macOS-specific malware. This analysis explores the technical details of BANSHEE Stealer, aiming\r\nto help the community understand its impact and stay informed about emerging threats.\r\nSource: https://x.com/privacyis1st/status/1822948909670408573\r\nKey takeaways\r\nBANSHEE Stealer highlights the growing number of macOS malware samples as the OS becomes a more\r\nattractive target for cyber threats.\r\nBANSHEE Stealer's $3,000 monthly price is notably high compared to Windows-based stealers.\r\nBANSHEE Stealer targets a wide range of browsers, cryptocurrency wallets, and around 100 browser\r\nextensions, making it a highly versatile and dangerous threat.\r\nhttps://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post\u0026blade=twitter\u0026hulk=social\u0026utm_content=14389248623\u0026linkId=549532028\r\nPage 1 of 8\n\nMalware Analysis\r\nThe malware we analyzed in this research contained all the C++ symbols, which is interesting as we can guess the\r\nproject's code structure by knowing these source code file names, as seen in the picture below. Looking into the\r\nC++-generated global variable initialization functions, we can find values set automatically/manually by the user\r\nduring the build process, like the remote IP, encryption key, build ID, etc.\r\nFunctions list that initialize the global variables of every source file\r\nThe following table summarizes the leaked .cpp file names through the symbols in the binary.\r\nFile name Description\r\nController.cpp\r\nManages core execution tasks, including anti-debugging measures, language checks, data\r\ncollection, and exfiltration.\r\nBrowsers.cpp Handles the collection of data from various web browsers.\r\nSystem.cpp Executes AppleScripts to gather system information and perform password phishing.\r\nTools.cpp Provides utility functions for encryption, directory creation, and compression etc.\r\nWallets.cpp Responsible for collecting data from cryptocurrency wallets.\r\nDebugger, VM Detection, and Language Checks\r\nhttps://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post\u0026blade=twitter\u0026hulk=social\u0026utm_content=14389248623\u0026linkId=549532028\r\nPage 2 of 8\n\nChecking for debugging, Virtualization, and the language of the machine\r\nBANSHEE Stealer uses basic techniques to evade detection. It detects debugging by utilizing the sysctl API.\r\nDebugging detection with sysctl macOS API\r\nFor virtualization detection, it runs the command system_profiler SPHardwareDataType | grep 'Model\r\nIdentifier' to determine whether the string Virtual appears in the hardware model identifier, which suggests a\r\nvirtual machine. These methods are relatively simple and can be easily circumvented by advanced sandboxes and\r\nmalware analysts.\r\nhttps://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post\u0026blade=twitter\u0026hulk=social\u0026utm_content=14389248623\u0026linkId=549532028\r\nPage 3 of 8\n\nVirtual machine check\r\nAdditionally, It parses the user-preferred canonicalized language returned from the\r\nCFLocaleCopyPreferredLanguages API and looks for the string ru . This tactic helps the malware avoid infecting\r\nsystems where Russian is the primary language.\r\nSystem information collection\r\nUser password\r\nThe malware creates an Osascript password prompt with a dialog saying that to launch the application, you need to\r\nupdate the system settings. Please enter your password.\r\nWhen the user enters the password, it will be validated using the dscl command by running dscl Local/Default -\r\nauthonly \u003cusername\u003e \u003cpassword\u003e\r\nIf valid, the password will be written to the following file /Users/\u003cusername\u003e/password-entered .\r\nUser password phishing through a prompt\r\nThese credentials can be leveraged to decrypt the keychain data stored on the system, granting access to all saved\r\npasswords.\r\nhttps://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post\u0026blade=twitter\u0026hulk=social\u0026utm_content=14389248623\u0026linkId=549532028\r\nPage 4 of 8\n\nFile, software, and hardware information collection\r\nThe function System::collectSystemInfo collects system information and serializes it in a JSON object. It\r\nexecutes the command system_profiler SPSoftware DataType SPHardwareDataType , which provides details about\r\nthe system’s software and hardware. It gets the machine's public IP by requesting it from freeipapi.com through\r\nthe built-in macOS cURL command.\r\nThe JSON file will be saved under \u003ctemporary_path\u003e/system_info.json\r\nBANSHEE stealer executes AppleScripts; interestingly, it writes the AppleScripts to the same file\r\n/tmp/tempAppleScript .\r\nThe first script to be executed first mutes the system sound with osascript -e 'set volume with output muted'\r\ncommand. It then collects various files from the system, which are listed below:\r\nSafari cookies\r\nNotes database\r\nFiles with the following extensions .txt , .docx , .rtf , .doc , .wallet , .keys , or .key from the\r\nDesktop and Documents folders.\r\nDump keychain passwords\r\nIt copies the keychain of the system /Library/Keychains/login.keychain-db to \u003ctemporary_path\u003e/Passwords\r\nBrowser collection\r\nBANSHEE collects data from 9 different browsers currently, including browser history, cookies, logins, etc:\r\nChrome\r\nFirefox\r\nBrave\r\nEdge\r\nVivaldi\r\nYandex\r\nOpera\r\nOperaGX\r\nRegarding Safari, only the cookies are collected by the AppleScript script for the current version.\r\nhttps://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post\u0026blade=twitter\u0026hulk=social\u0026utm_content=14389248623\u0026linkId=549532028\r\nPage 5 of 8\n\nWeb browser file collection\r\nAdditionally, data from approximately 100 browser plugins are collected from the machine. A list of these extension\r\nIDs is provided at the end of the blog post.\r\nThe collected files are saved under \u003ctemporary_path\u003e/Browsers .\r\nWallet collection\r\nExodus\r\nElectrum\r\nCoinomi\r\nGuarda\r\nWasabi Wallet\r\nAtomic\r\nLedger\r\nThe collected wallets are stored under \u003ctemporary_path\u003e/Wallets .\r\nExfiltration\r\nAfter the malware finishes collecting data, it first ZIP compresses the temporary folder using the ditto command.\r\nThe zip file is then XOR encrypted and base64 encoded and sent through a post request to the URL:\r\nhttp://45.142.122[.]92/send/ with the built-in cURL command.\r\nhttps://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post\u0026blade=twitter\u0026hulk=social\u0026utm_content=14389248623\u0026linkId=549532028\r\nPage 6 of 8\n\nXor and base64 encoding of the zip file to be exfiltrated\r\nBehavior detection\r\nCrypto Wallet File Access by Unsigned or Untrusted Binary\r\nWeb Browser Credential Data Accessed by Unsigned or Untrusted Process\r\nOsascript Payload Drop and Execute\r\nPotential Credentials Phishing via Osascript\r\nYARA rule\r\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the BANSHEE\r\nmalware:\r\nrule Macos_Infostealer_Banshee {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2024-08-13\"\r\n last_modified = \"2024-08-13\"\r\n os = \"MacOS\"\r\n arch = \"x86, arm64\"\r\n category_type = \"Infostealer\"\r\n family = \"Banshee\"\r\n threat_name = \"Macos.Infostealer.Banshee\"\r\n license = \"Elastic License v2\"\r\n strings:\r\n $str_0 = \"No debugging, VM, or Russian language detected.\" ascii fullword\r\n $str_1 = \"Remote IP: \" ascii fullword\r\n $str_2 = \"Russian language detected!\" ascii fullword\r\n $str_3 = \" is empty or does not exist, skipping.\" ascii fullword\r\n $str_4 = \"Data posted successfully\" ascii fullword\r\n $binary_0 = { 8B 55 BC 0F BE 08 31 D1 88 08 48 8B 45 D8 48 83 C0 01 48 89 45 D8 E9 }\r\n $binary_1 = { 48 83 EC 60 48 89 7D C8 48 89 F8 48 89 45 D0 48 89 7D F8 48 89 75 F0 48 89 55 E8 C6 45 E7 0\r\n condition:\r\nhttps://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post\u0026blade=twitter\u0026hulk=social\u0026utm_content=14389248623\u0026linkId=549532028\r\nPage 7 of 8\n\nall of ($str_*) or all of ($binary_*)\r\n}\r\nConclusion\r\nBANSHEE Stealer is macOS-based malware that can collect extensive data from the system, browsers,\r\ncryptocurrency wallets, and numerous browser extensions. Despite its potentially dangerous capabilities, the\r\nmalware's lack of sophisticated obfuscation and the presence of debug information make it easier for analysts to\r\ndissect and understand. While BANSHEE Stealer is not overly complex in its design, its focus on macOS systems\r\nand the breadth of data it collects make it a significant threat that demands attention from the cybersecurity\r\ncommunity.\r\nObservables\r\nAll observables are also available for download in both ECS and STIX format in a combined zip bundle.\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\n11aa6eeca2547fcf807129787bec0d576de1a29b56945c5a8fb16ed8bf68f782\r\nSHA-256BANSHEE\r\nstealer\r\n45.142.122[.]92\r\nipv4-\r\naddr\r\nBANSHEE\r\nstealer C2\r\nSource: https://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post\u0026blade=twitter\u0026hulk=social\u0026utm_c\r\nontent=14389248623\u0026linkId=549532028\r\nhttps://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post\u0026blade=twitter\u0026hulk=social\u0026utm_content=14389248623\u0026linkId=549532028\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post\u0026blade=twitter\u0026hulk=social\u0026utm_content=14389248623\u0026linkId=549532028" ], "report_names": [ "beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post\u0026blade=twitter\u0026hulk=social\u0026utm_content=14389248623\u0026linkId=549532028" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433988, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6dd07331004460cf28481d3090402349601c0c3.pdf", "text": "https://archive.orkl.eu/e6dd07331004460cf28481d3090402349601c0c3.txt", "img": "https://archive.orkl.eu/e6dd07331004460cf28481d3090402349601c0c3.jpg" } }