Banshee Stealer: The New Threat to macOS Users
Introduction
In the increasingly complex landscape of cybersecurity, Banshee emerges as a formidable threat to macOS users. First discovered in 2024, Banshee is a malware specialized in stealing information, targeting browsers and cryptocurrency wallets on the macOS operating system. With its ability to evade antivirus tools for extended periods, Banshee has raised many concerns within the cybersecurity community.
Banshee is not just ordinary malware; it is also a stealer-as-a-service, allowing threat actors to rent and use it to carry out attacks on macOS users. This malware can steal login information from various browsers and target browser extensions related to cryptocurrency wallets. This makes Banshee a dangerous tool in the hands of cybercriminals, especially since its source code has been leaked on underground forums, enabling many other attackers to access and use it.
With the continuous development of attack campaigns and sophistication in its operations, Banshee has become a significant challenge for security experts. Understanding its mechanisms and preventive measures is essential to protecting macOS users from this threat.
Malware Information
At the end of September, Check Point Research discovered new versions of Banshee Stealer. These samples went undetected by antivirus tools on VirusTotal for over two months. It was only when the source code of Banshee Stealer was leaked on the underground XSS forums on November 23 that antivirus vendors updated their detection rules to identify both the leaked original code and the updated versions.
A key difference between the old and new versions is the string encryption, replacing plain text strings from the samples reported in August. When Check Point Research first received the encrypted samples at the end of September, they created a Yara rule based on string encryption, which led to many false positives. However, after further investigation, they discovered that Banshee uses the same encryption method that Apple uses in macOS for string encryption in its XProtect antivirus tool.
This encryption is used to decode the YARA rules in the XProtect Remediator binaries. While the XProtect binaries decode the YARA rules for detection purposes, Banshee Stealer uses the same algorithm to decode critical strings for its functionality. These strings include the necessary information for the malware to operate effectively without being detected.
Banshee Stealer is a malware designed to collect information from macOS systems, including browser data and cryptocurrency wallets. This malware is developed to operate on both x86_64 and ARM64 architectures of macOS, demonstrating its high flexibility and adaptability.
One of the standout features of Banshee Stealer is its ability to collect data from various browsers, including browsing history, cookies, login information, and autofill data. Notably, it can access around 100 browser extensions, allowing it to gather a large amount of sensitive user data.
To avoid detection, Banshee Stealer uses basic techniques like debugging detection through the sysctl API. It also checks if the software is running in a virtualized environment by using the command system_profiler SPHardwareDataType | grep 'Model Identifier' to see if the string "Virtual" appears in the hardware model. Additionally, this malware checks the system language to avoid infecting systems using Russian, a common tactic to steer clear of regions the malware author does not want to target.
Another technique used by Banshee Stealer is creating a fake password prompt using AppleScript, asking users to enter their password to update system settings. This password is then captured and stored, allowing the malware to access sensitive data stored in the system.
Banshee Stealer also collects system information by executing commands to obtain software and hardware details, as well as the machine's public IP address. This data is stored as a JSON file and can be used for further analysis or to carry out additional attacks.
GitHub Campaigns
In an effort to spread Banshee Stealer, threat actors have used GitHub as a platform to distribute this malware. The GitHub campaigns target not only macOS users but also Windows users by combining Banshee with other malware like Lumma Stealer.
Malicious GitHub repositories are often disguised as legitimate software projects or useful tools to trick users into downloading and installing the malware unknowingly. Threat actors frequently use social engineering techniques to convince users that these repositories are safe and trustworthy.
Once users download and run code from these repositories, Banshee Stealer is activated and begins collecting sensitive data from their systems. This includes browser login information, cryptocurrency wallets, and files containing important information. This data is then sent back to the attacker's command server, where it can be used for other malicious purposes.
Using GitHub as a means to distribute malware demonstrates the sophistication and creativity of threat actors in exploiting popular platforms to carry out cyberattacks. This also poses a significant challenge for developers and users in protecting their systems from potential threats.
New Campaign Version of Banshee Stealer
Banshee Stealer is mainly spread through phishing websites and malicious GitHub repositories. In some GitHub campaigns, threat actors have targeted both Windows and macOS users with Banshee and Lumma Stealer. These campaigns often disguise the malware as popular programs like Google Chrome, TradingView, and Telegram.
After Banshee's source code was leaked on underground forums, antivirus tools updated their detection rules to identify both the original code and updated versions. However, Check Point Research continues to monitor malware distribution campaigns through phishing websites masquerading as legitimate software.
Highlights of the Campaign
String Encryption: The new version of Banshee uses string encryption to avoid detection, a technique borrowed from Apple's XProtect.
Distribution Method: The malware is spread through phishing websites and GitHub repositories, targeting both Windows and macOS users.
Source Code Leak: The leak of Banshee's source code has helped antivirus tools update detection rules, but distribution campaigns continue.
Indicators of Compromise
MacOS archive releases
cdfbcb3d850713c49d451b3e80fb8507f86ba4ad9385e083c2a2bf8d11adc4fb 1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416 d8ecc92571b3bcd935dcab9cdbeda7c2ebda3021dda013920ace35d294db07beBanshee MacOS Stealer
00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93 ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038 d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c2Banshee Command & Control
41[.]216[.]183[.]49Lumma Stealer
3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114Lumma Stealer
authorisev[.]site contemteny[.]site dilemmadu[.]site faulteyotk[.]site forbidstow[.]site goalyfeastz[.]site opposezmny[.]site seallysl[.]site servicedny[.]site hxxps://steamcommunity[.]com/profiles/76561199724331900
Recommendations
To protect your macOS device from increasingly complex cybersecurity threats, implementing security measures is essential. Here are some important recommendations:
Use file encryption: Enable FileVault to encrypt your entire drive, protecting data from unauthorized access.
Enable System Integrity Protection (SIP): This feature protects critical system files from unauthorized changes, helping to prevent malware.
Configure Gatekeeper: Allow only apps from the App Store or identified developers to be installed to prevent malware.
Set up a firewall: Enable the firewall to control network connections and prevent unauthorized access.
Adjust privacy settings: Manage app access to personal information to protect sensitive data.
Protect firmware password: Prevent unauthorized users from booting the Mac from external drives or recovery mode.
Conclusion
Securing macOS is not just about enabling security features but also about developing a mindset that prioritizes data protection at every level. Each security measure contributes to creating a comprehensive shield against cyber threats.
Following these guidelines helps users ensure their macOS devices are protected, providing peace of mind in the digital world. This is especially important for individuals and professionals in high-risk industries such as finance, healthcare, and government, where protecting sensitive information is crucial.
