A new stealer malware affecting the Apple Mac operating system has been discovered this month. The Banshee stealer malware is believed to have been created by Russian cyber criminals and was recently released on an underground forum.
What does the Banshee Stealer do?
The purpose of the Banshee stealer malware is to collect and steal data from the targeted users, it is currently advertised online as a service for $3,000 a month.
Image (Banshee Stealer advertisement)
How does the Banshee stealer work?
An osascript password prompt with a dialogue alerting the user that they need to update the system settings to launch the application is deployed by the malware. The user would then enter their password, the data is then saved to the file “/Users/<username>/password-entered” if it is valid and is subsequently used to decrypt password information stored in their keychain.
It is believed that the creators of Banshee stealer are Russian threat actors since the malware avoids targeting systems that use Russian as a primary language. It can do this by parsing the user-preferred language through the CFLocaleCopyPreferredLanguages API and checking for the string .ru, which signifies the presence of the Russian language.
What is affected?
The malware attacks third-party software installed on the device, rather than the Mac operating system itself. As of the 15th of August, Banshee can collect data on cookies, browsing history and login credentials from 8 browsers. These browsers are Opera, OperaGX, Yandex, Chrome, Brave, Firefox, Vivaldi and Edge. Only cookies can be collected when using Safari. It is also able to steal information from over 100 associated browser extensions.
Not only this, but the malware also can steal crypto wallets from infected devices. The wallets currently seen are Ledger, Atomic, Wasabi Wallet, Electrum, Exodus, Guarda and Coinomi.
Information about the device’s hardware and software can be discovered by using the command system profiler SPSoftware DataType SPHardwareDataType. It also collects files from the system such as notes database, safari cookies and .txt, .wallet, .keys, .key, .rtf, .doc or .docx files from the documents folder and desktop.
References:
macOS browser extensions at risk from Banshee Stealer (appleinsider.com)
Beyond the wail: deconstructing the BANSHEE infostealer (elastic.co)
New Banshee Stealer macOS Malware Priced at $3,000 Per Month (securityweek.com)
New Banshee Stealer Targets 100+ Browser Extensions on Apple macOS Systems (thehackernews.com)
“New macOS stealer variant a.k.a “Banshee” sold on dark forums (x.com)
There’s a new critical vulnerability making waves, and this is one you absolutely don’t want to ignore. Discovered by XiaoWei of Kunlun Lab and identified as CVE-2024-38063, this vulnerability has been given an eye-watering CVSS score of 9.8. To put that in perspective, it’s like the cyber security equivalent of a major news alert, and yes, you should treat it with that level of urgency.
This flaw primarily targets Windows systems with IPv6 enabled, exploiting weaknesses in the way IPv6 packets are handled. It provides an open door for attackers to send specially crafted packets that can bypass authentication altogether. Once inside, attackers can execute arbitrary code, without even needing to get past a login screen. In other words, before you even realise something’s wrong, your system could be completely compromised, with attackers having free rein to steal data or install malicious software.
Why is CVE-2024-38063 such a big deal?
The biggest issue: it’s a zero-click exploit. Think of it as the stealthiest of cyber attacks, slipping into your system without you clicking a link, downloading a file, or even lifting a finger. Just having IPv6 enabled (which it probably is by default) makes your system a potential target.
It is deemed so critical because of how it silently bypasses any user interaction, leaving people completely unaware while their systems are being hijacked. And with IPv6 being so widespread, the number of potential targets multiplies quickly.
To make matters worse, there’s the possibility that this vulnerability could morph into something worm-like. Remember WannaCry? That infamous ransomware spread rapidly across networks, exploiting a core Windows vulnerability. CVE-2024-38063 could follow a similar path, enabling fast and widespread infection across systems and networks.
What you need to do, right now…
First and foremost: patch your systems. Leaving this vulnerability unaddressed is a serious risk. Secondly, be extra vigilant about your network traffic—anything suspicious should be flagged and investigated. This is also a great time to make sure your defence-in-depth strategies are robust. Firewalls, intrusion detection systems, and endpoint security measures are your best friends here, so make sure they’re doing their job.
As with any significant cybersecurity threat, maintaining a proactive posture is key to minimizing the risk of catastrophic breaches.
By utilising norm.’s Vulnerability Patch Management module, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.
References:
Windows TCP/IP Remote Code Execution Vulnerability (msrc.microsoft.com)
Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited (bleepingcomputer.com)
Zero-Click Exploit Concerns Drive Urgent Patching of Windows TCP/IP Flaw (securityweek.com)
In recent months, a sophisticated disinformation campaign has been identified, leveraging Microsoft Azure domains and Google services to spread malware and misleading information. This report delves into the mechanisms, impact, and mitigation strategies associated with this campaign.
Mechanisms of abuse
Subdomain utilisation: Attackers have been using subdomains within Microsoft Azure and OVH cloud services to host malicious content. These subdomains often appear legitimate, making it difficult for users to distinguish between genuine and harmful sites.
Phishing and malware distribution: By hosting phishing pages and malware on these subdomains, attackers can exploit the trust users place in Azure-hosted services. This method also helps in bypassing traditional security filters that might block less reputable domains.
Search engine optimisation (SEO) abuse: Attackers have been manipulating Google search results to promote their malicious sites. By using SEO techniques, they ensure that their harmful content appears prominently in search results, increasing the likelihood of user interaction.
Google Ads and Drive: There have been instances where Google Ads and Google Drive have been misused to distribute malware. Malicious ads can lead users to infected sites, while compromised Google Drive links can host and spread malware.
Impact of the Campaign
Public misinformation: The campaign has been effective in spreading false information on various topics, including health, politics, and finance. This disinformation can lead to public panic, mistrust in institutions, and poor decision-making.
Reputation damage: Legitimate organisations whose domains are spoofed or whose services are abused may suffer reputational damage, leading to loss of customer trust and potential financial losses.
Data theft: Malware distributed through these campaigns can steal sensitive information, including personal data, financial details, and intellectual property.
System compromise: Infected systems can be used for further malicious activities, such as launching additional attacks, mining cryptocurrency, or being part of botnets.
Mitigation Strategies
Domain monitoring: Organisations should implement robust monitoring of their domains and subdomains to detect and respond to unauthorised use promptly.
SEO and Ad monitoring: Regular audits of SEO practices and ad campaigns can help identify and mitigate the misuse of these channels for spreading malware.
Phishing awareness: Educating users about the dangers of phishing and how to recognise suspicious links can reduce the likelihood of successful attacks.
Safe browsing practices: Encouraging safe browsing practices, such as verifying URLs and using security tools, can help users avoid malicious sites.
Reporting mechanisms: Establishing clear reporting mechanisms with service providers like Microsoft and Google can help in the swift take down of malicious content.
Security partnerships: Collaborating with cyber security firms and industry groups can enhance threat intelligence and response capabilities.
Conclusion
The abuse of Azure domains and Google services for spreading disinformation and malware represents a significant threat to both individuals and organisations. By understanding the mechanisms of these attacks and implementing effective mitigation strategies, it is possible to reduce the impact and protect against future threats.
References:
Azure domains and Google abused to spread disinformation and malware (bleepingcomputer.com)
Azure domains and Google abused to spread disinformation and malware (netmanageit.com)
Azure domains and Google abused to spread disinformation and malware (cyber.vumetric.com)
norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
