Cybersecurity researchers have discovereda new malware called Banshee Stealer that targets Apple’s macOS system and is capable of collecting system information, passwords, and notes from iCloud Keychain.

This is a universal software developed by Russian hackers that is sold on underground cybercrime forums for $3000 per month and targets a wide range of browsers, cryptocurrency wallets, and about 100 browser extensions.

The following web browsers and crypto wallets are at risk: Safari, Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, and Ledger.

It also contains a number of anti-analysis and anti-debugging measures to determine if it is running in a virtual environment in an attempt to avoid detection. In addition, it uses the CFLocaleCopyPreferredLanguages API to avoid infecting systems where the primary language is Russian.

Banshee Stealer uses osascript to display a fake password prompt. This tricks users into providing system passwords, which are then verified using the OpenDirectory API.

The malware then downloads and executes additional malicious scripts from the remote server, collecting data from files with .txt, .docx, .rtf, .doc, .wallet, .keys, and .key extensions from the Desktop and Documents folders. This data is then exfiltrated in ZIP format to the cybercriminals’ remote server.

With the growing number of threats like Banshee Stealer, macOS users should be extra cautious when dealing with suspicious files and apps. Cybercriminals continue to develop new methods to steal data, making it important to maintain the highest standards of cybersecurity.