Infostilers aimed at MacOS, continue to develop actively, which makes them monitoring especially important. Not so long ago, the source code of the Banshee infostiler, written on Objective-C, turned out to be open. This allowed researchers to study his work mechanisms, as well as finding his possible successor – a new version written on Rust.
January 15, 2025, a team of researchers Kandji a new model of the infostilee on Virustotal. The program demonstrates similar behavior with Banshee and is focused on stealing data from browsers, cryptocurrencies and extensions. However, the new version transmits files to the local host, which may indicate a stage of testing or early development.
Researchers conducted a detailed code analysis. One of the first signs of similarity was the use of similar functions in the RUS-application and in the leaks of the Banshee. The RUST-compartment adds unique identifiers to the functions, but after their removal, the comparison showed a significant coincidence. In particular, the function mac_os_stealer :: Main () in the new infostiler uses the mechanism for transmitting arguments when starting, similar to what was used in the original Banshee.
The code of the new model has a Killall Terminal command, identical to the one that was found in the flowing Objective-C Code. This team completes the work of the terminal, possibly hiding traces of harmful activity. Also in the new infostiller, a check for launch in a virtual machine using the
b “System_profiler sphardwaredatype | Grep ‘Model Identifier'”
if the verification is found, the program reacts similarly to the “Banshee” code.
Another interesting aspect was the use of the SYSCTL () method to identify a working debugger. This mechanism is used in many infostilers and allows malicious software to avoid analysis.
During the analysis, the researchers found that the infostiller collects information about the system, launching several commands that determine the OS version, the type of equipment and the amount of RAM. Then the program creates a temporary directory and calls the Send_DATA () function, preparing data for transmission. In the code of this function, traces of encryption were also found before sending data.
It is interesting that in this version of the infostiller, the end point of data transmission is configured at 127.0.0.1:3030, which confirms the hypothesis of testing the program. This approach is usually found in the early stages of the development of harmful software.
Further analysis showed that infostillar is focused on extracting data from browsers, including Chrome, Firefox, Microsoft Edge and Yandex. The code also found extensions for working with cryptocurrency wallets. Comparison with the leaked code “Banshee” confirmed their complete coincidence.