As macOS continues to gain popularity, with over 100 million users globally, it’s becoming an increasingly attractive target for cyber criminals. Despite its reputation as a secure operating system, the rise of sophisticated threats like the Banshee MacOS Stealer highlights the importance of vigilance and proactive cyber security measures.
Check Point Research (CPR) has been monitoring this emerging malware, which targets macOS users. Here’s what businesses and users need to know.
When Security Assumptions Fall Short
Many macOS users assume that the platform’s Unix-based architecture and historically lower market share make it a less attractive target for cyber criminals and therefore, immune to malware. While macOS does include robust security features like Gatekeeper, XProtect, and sandboxing, the rise of the Banshee stealer serves as a reminder that no operating system is immune to threats.
This stealthy malware doesn’t just infiltrate; it operates undetected, blending seamlessly with normal system processes while stealing browser credentials, cryptocurrency wallets, user passwords, and sensitive file data. What makes Banshee truly alarming is its ability to evade detection. Even seasoned IT professionals struggle to identify its presence. Banshee stealer isn’t just another piece of malware—it’s a critical warning for users to reassess their security assumptions and take proactive measures to safeguard their data.
The Evolution of Banshee Stealer: A New Breed of Threat
The Banshee MacOS Stealer first came to public attention in mid-2024, advertised as a “stealer-as-a-service” on underground forums, such as XSS and Exploit, and Telegram. For $3,000, threat actors could purchase this malware to target macOS users. In late September, CPR identified a new, undetected version of Banshee featuring an interesting twist: its developers had “stolen” a string encryption algorithm from Apple’s own XProtect antivirus engine, which replaced the plain text strings used in the original version.
This move likely allowed Banshee to evade detection by antivirus engines for over two months. During this time, threat actors distributed the malware through phishing websites and malicious GitHub repositories, posing as popular software tools such as Chrome, Telegram, and TradingView.
Banshee’s operations took a significant turn in November 2024 when its source code was leaked on XSS underground forums and was shut down to the public. This leak not only exposed its inner workings but also led to better detection by antivirus engines. While this leak led to better detection by antivirus engines, it also raised concerns about new variants being developed by other actors.
How Banshee Stealer Operates
Banshee Stealer’s functionality reveals the sophistication behind modern malware. Once installed, it:
- Steals system data: Targets browsers like Chrome, Brave, Edge, and Vivaldi, along with browser extensions for cryptocurrency wallets. It also exploits a Two-Factor Authentication (2FA) extension to capture sensitive credentials. Additionally, it collects software and hardware details, external IP addresses, and macOS passwords.
- Tricks users: Utilizes convincing pop-ups designed to look like legitimate system prompts to trick users into entering their macOS passwords.
- Evades detection: Employs anti-analysis techniques to avoid debugging tools and antivirus engines.
Exfiltrates data: Sends stolen information to command-and-control servers via encrypted and encoded files.
Threat actors used GitHub repositories as a key distribution method for Banshee. These campaigns targeted macOS users with Banshee while simultaneously targeting Windows users with a different though already known malware called Lumma Stealer. Over three waves, malicious repositories were created to impersonate popular software and lure users into downloading the malware. These repositories often appeared legitimate, with stars and reviews to build trust before launching their malicious campaigns.
