Check Point Cracking The Code: How Banshee Stealer Targets Macos Users

(MENAFN- Mid-East Info)

• Since September, Check Point Research (CPR) has been monitoring a new version of the Banshee macOS Stealer, a malware that steals browser credentials, Cryptocurrency wallets, and other sensitive data.
• Undetected for over two months, Banshee's latest version introduced string encryption taken from Apple's XProtect, likely causing antivirus detection systems to overlook the malware
• Threat actors distributed Banshee using phishing websites and fake GitHub repositories, often impersonating popular software like chrome and Telegram.
• A key update in the new version removed a Russian language check, expanding the malware's potential targets.
• The Banshee Stealer highlights the growing risks to macOS users, emphasizing the need for advanced cyber security solutions and increased vigilance.

As macOS continues to gain popularity, with over 100 million users globally, it's becoming an increasingly attractive target for cyber criminals. Despite its reputation as a secure operating system, the rise of sophisticated threats like the Banshee MacOS Stealer highlights the importance of vigilance and proactive cyber security measures. Check Point Research (CPR) has been monitoring this emerging malware, which targets macOS users. Here's what businesses and users need to know.

When Security Assumptions Fall Short
Many macOS users assume that the platform's Unix-based architecture and historically lower market share make it a less attractive target for cyber criminals and therefore, immune to malware. While macOS does include robust security features like Gatekeeper, XProtect, and sandboxing, the rise of the Banshee stealer serves as a reminder that no operating system is immune to threats.

This stealthy malware doesn't just infiltrate; it operates undetected, blending seamlessly with normal system processes while stealing browser credentials, cryptocurrency wallets, user passwords, and sensitive file data. What makes Banshee truly alarming is its ability to evade detection. Even seasoned IT professionals struggle to identify its presence. Banshee stealer isn't just another piece of malware-it's a critical warning for users to reassess their security assumptions and take proactive measures to safeguard their data.

The Evolution of Banshee Stealer: A New Breed of Threat
The Banshee MacOS Stealer first came to public attention in mid-2024, advertised as a“stealer-as-a-service” on underground forums, such as XSS and Exploit, and Telegram. For $3,000, threat actors could purchase this malware to target macOS users. In late September, CPR identified a new, undetected version of Banshee featuring an interesting twist: its developers had“stolen” a string encryption algorithm from Apple's own XProtect antivirus engine, which replaced the plain text strings used in the original version.

This move likely allowed Banshee to evade detection by antivirus engines for over two months. During this time, threat actors distributed the malware through phishing websites and malicious GitHub repositories, posing as popular software tools such as Chrome, Telegram, and TradingView.

Banshee's operations took a significant turn in November 2024 when its source code was leaked on XSS underground forums and was shut down to the public. This leak not only exposed its inner workings but also led to better detection by antivirus engines. While this leak led to better detection by antivirus engines, it also raised concerns about new variants being developed by other actors.

How Banshee Stealer Operates

Banshee Stealer's functionality reveals the sophistication behind modern malware. Once installed, it:
● Steals system data: Targets browsers like Chrome, Brave, Edge, and Vivaldi, along with browser extensions for cryptocurrency wallets. It also exploits a Two-Factor Authentication (2FA) extension to capture sensitive credentials. Additionally, it collects software and hardware details, external IP addresses, and macOS passwords.
● Tricks users: Utilizes convincing pop-ups designed to look like legitimate system prompts to trick users into entering their macOS passwords.
● Evades detection: Employs anti-analysis techniques to avoid debugging tools and antivirus engines.
● Exfiltrates data: Sends stolen information to command-and-control servers via encrypted and encoded files.

Threat actors used GitHub repositories as a key distribution method for Banshee. These campaigns targeted macOS users with Banshee while simultaneously targeting Windows users with a different though already known malware called Lumma Stealer. Over three waves, malicious repositories were created to impersonate popular software and lure users into downloading the malware. These repositories often appeared legitimate, with stars and reviews to build trust before launching their malicious campaigns. Github site

Why This Matters to Businesses
Businesses must recognize the broader risks posed by modern malware, including costly data breaches that compromise sensitive information and damage reputations, targeted attacks on cryptocurrency wallets that threaten digital assets, and operational disruptions caused by stealthy malware that evades detection and inflicts long-term harm before being identified.

Lessons from the Banshee Stealer
Banshee's success underscores the evolving nature of cyber threats and the need for robust defenses. Since its source code was leaked in November 2024, Banshee Stealer-as-a-service operation has been officially shut down. However, CPR has identified multiple campaigns still distributing the malware through phishing websites. Whether these campaigns are being carried out by previous customers or the author's private group remains unclear.

Campaign Clusters
One notable update in the latest version of Banshee is the removal of its Russian language check. Previous malware versions terminated operations if they detected the Russian language, likely to avoid targeting specific regions. Removing this feature indicates an expansion in the malware's potential targets.

As cyber criminals continue to innovate, security solutions must evolve in tandem to provide comprehensive protection. Businesses and users alike must take proactive steps to defend against threats, leveraging advanced tools and fostering a culture of caution and awareness.
Check Point Research remains committed to uncovering and mitigating these risks. By staying informed and investing in robust cyber security measures, organizations can protect their data and maintain resilience in the face these threats.

MENAFN09012025005446012082ID1109071850