New year, new menaces for cyber defenders. Cybersecurity researchers have uncovered a novel variant of the notorious Banshee Stealer, which is increasingly targeting Apple users worldwide. This stealthy infostealer malware employs advanced evasion techniques, successfully slipping past detection by leveraging string encryption from Apple’s XProtect antivirus engine. Going exclusively after macOS users, Banshee is capable of stealing browser credentials, login data, cryptocurrency wallets, and other sensitive information from the files.
Detect Apple macOS Banshee Stealer Malware
With more than 1 billion malware strains circulating the cyber threat arena, staying on guard against emerging threats is more critical than ever. Yet, as attack surfaces expand and infiltration tactics evolve, early intrusion detection remains a complex challenge.
To support security professionals, the SOC Prime Platform for collective cyber defense provides the world’s largest repository of detection algorithms for emerging threats, backed by advanced tools for threat detection and hunting. Stay on top of the latest Banshee Stealer attacks with a broad collection of curated detection algorithms. Hit the Explore Detection button below and immediately drill down to a relevant detection stack.
All the rules are mapped to the MITRE ATT&CK framework and compatible with 30+ SIEM, EDR, and Data Lake technologies. Moreover, all the detections are enriched with extensive metadata, including CTI references, attack timelines, triage recommendations, and more.
Additionally, security professionals might explore the whole set of detections addressing TTPs associated with Apple macOS Banshee Stealer malware in the Threat Detection Marketplace to analyze the attacks retrospectively.
To proceed with the investigation, security professionals might also launch instant hunts using IOCs provided in the corresponding Check Point research. Rely on SOC Prime’s Uncoder AI to create custom IOC-based queries in a matter of seconds and automatically work with them in your chosen SIEM or EDR environment. Previously exclusive to corporate clients, Uncoder AI is now open to individual researchers at its full power. Check out the details here.
Apple macOS Banshee Stealer Malware Analysis
As of 2024, with the number of macOS users reaching over 100 million, cybercriminals see a lucrative opportunity. Banshee Stealer’s creators wasted no time going after Apple users, refining stealthy tactics to bypass detection and harvest sensitive data undetected.
First revealed in August 2024, Banshee Stealer was sold in underground forums as malware-as-a-service for $3,000, being capable of dumping browser data, stealing crypto wallets, and extracting files with specific extensions. Notably, security experts suggest that Banshee may be linked to russian-speaking cybercriminal groups, as the malware appears to avoid targeting devices belonging to russian users.
In November 2024, the source code for Banshee Stealer leaked online, leading to a swift shutdown of its operation but also opening doors for other malware developers. Between August and November last year, security researchers identified several Banshee Stealer campaigns targeting macOS users.
One of the more recent variants, uncovered and analyzed by Check Point, utilize a unique evasion technique based on adopting a string encryption algorithm similar to the one used by Apple’s XProtect to safeguard its data. By obfuscating its strings and only decrypting them during execution, Banshee effectively sidesteps traditional static detection methods. This approach not only reduces the chances of detection but may also cause macOS and third-party anti-malware tools to overlook the infection for a longer period.
According to the researchers, the campaign behind this newer Bashee Stealer variant is still ongoing, primarily spreading the samples through fraudulent GitHub repositories, deceiving macOS users by impersonating legitimate software. The same threat actors are also targeting Windows users leveraging Lumma Stealer.
Interestingly, the campaign operators have removed the russian language filter that previously blocked infections on systems with russian set as the default language. This change suggests either a disconnect between the current operators and the original Banshee developers or a deliberate effort to expand the range of potential victims.
The continued evolution of the malware highlights the urgent need for heightened cybersecurity awareness and proactive defense. The SOC Prime Platform for collective cyber defense empowers organizations across various industries, as well as individual researchers, with advanced solutions to stay ahead of cyber threats, including emerging malware variants and the rising wave of APT attacks.
The post Detect Banshee Stealer: Stealthy Apple macOS Malware Evades Detection Using XProtect Encryption appeared first on SOC Prime.
