Source Code of $3k-a-Month macOS Malware 'Banshee Stealer' Leaked

46 pointsposted a month ago
by sandwichsphinx
(securityweek.com)

7 Comments

wutwutwat

25 days ago

So let me get this straight. The malware source code was uploaded to github for people to view, but it's all in zip and 7z files, requiring you to download and execute the files in order to see their contents. 7z itself just had a RCE cve last week, and who would ever download malware files and unzip them trying to view the source code. This repo is not something to be trusted in its current state

https://github.com/vxunderground/MalwareSourceCode/tree/main...

somat

25 days ago

When your threat model includes distrust of your tools, you can run your tools in a vm then exfiltrate the files from there. perhaps even fingerprint the whole vm to analyze if there were shenanigans afoot in the archive. If your threat model also includes distrust of your vm, which is reasonable, vm's are not the security panacea some try to sell them as. Then yeah, stay away from it. or start investing in throwaway one use machines and depend on the network isolation keeping you safe.

k4rli

25 days ago

Seems very basic looking at the source. The real value is in binary obfuscation I suppose, if that's even needed when mcOS doesn't use any sort of "antivirus".

fragmede

25 days ago

Apple has the means to stop random unsigned binaries from running with out intense user intervention, so I wouldn't say there isn't any.

kevincox

25 days ago

IIUC this is based on a pretty simple fingerprint of the executable. So a motivated attacker can produce different builds that break the signature resulting in each build being "new" and being allowed by default.

This is different than the "notarization" process which requires uploading the executable and Apple has a change of better identifying variants. I don't think notarization is yet required or done on unknown executables by default. (In fact I think they need to be signed to be notarized.)