Article Details
Scrape Timestamp (UTC): 2025-01-09 18:59:26.689
Original Article Text
Click to Toggle View
Banshee stealer evades detection using Apple XProtect encryption algo. A new version of the Banshee info-stealing malware for macOS has been evading detection over the past two months by adopting string encryption from Apple's XProtect. Banshee is an information stealer focused on macOS systems. It emerged in mid-2024 as a stealer-as-a-service available to cybercriminals for $3,000. Its source code was leaked on the XSS forums in November 2024, leading to the project shutting down for the public and creating an opportunity for other malware developers to improve on it. According to Check Point Research, which discovered one of the new variants, the encryption method present in Banshee allows it to blend in with normal operations and to appear legitimate while collecting sensitive information from infected hosts. Another change is that it no longer avoid systems belonging to Russian users. XProtect encryption Apple's XProtect is the malware detection technology built into macOS. It uses a set of rules, similar to antivirus signatures, to identify and block known malware. The latest version of Banshee Stealer adopted a string encryption algorithm that XProtect itself uses to protect its data. By scrambling its strings and only decrypting them during execution, Banshee can evade standard static detection methods. It is also possible that macOS and third-party anti-malware tools treat the particular encryption technique with less suspicion, allowing Banshee to operate undetected for longer periods. Stealing sensitive data The latest Banshee stealer variant is primarily distributed via deceptive GitHub repositories targeting macOS users through software impersonation. The same operators also target Windows users, but with Lumma Stealer. Check Point reports that while the Banshee malware-as-a-service operation has remained down since November, multiple phishing campaigns continued to distribute the malware since the source code leaked. The infostealer targets data stored in popular browsers (e.g. Chrome, Brave, Edge, and Vivaldi), including passwords, two-factor authentication extensions, and cryptocurrency wallet extensions. It also collects basic system and networking information about the host and serves victims deceptive login prompts to steal their macOS passwords.
Daily Brief Summary
A new variant of Banshee, macOS-targeting malware, employs encryption used by Apple’s XProtect, concealing its malicious activities.
Initially introduced as a stealer-as-a-service in mid-2024, Banshee was priced at $3,000 before its source code leaked in November 2024, ending its public distribution.
Since the source code leak, various actors have advanced the malware, which now bypasses protections traditionally offered to Russian systems.
The modified Banshee stealer disguises its malicious strings under encryption during execution, evading conventional static detection methods used by macOS and third-party antivirus software.
It is distributed through deceptive GitHub repositories and tricks users into installing it by mimicking legitimate software applications.
The malware's targets include data from commonly used browsers like Chrome and Brave, capturing passwords, two-factor authentication data, and cryptocurrency wallet information.
Additional deceptive tactics include forcing infected macOS users into entering system passwords through fake login prompts.
Despite the official shutdown of the Banshee malware-as-a-service operation, active phishing campaigns continue to distribute the evolved malware variant.