A new version of the Banshee info-stealing malware for macOS has been evading detection over the past two months by adopting string encryption from Apple’s XProtect.
Banshee is an information stealer focused on macOS systems. It emerged in mid-2024 as a stealer-as-a-service available to cybercriminals for $3,000.
Its source code was leaked on the XSS forums in November 2024, leading to the project shutting down for the public and creating an opportunity for other malware developers to improve on it.
According to Check Point Research, which discovered one of the new variants, the encryption method present in Banshee allows it to blend in with normal operations and to appear legitimate while collecting sensitive information from infected hosts.
Another change is that it no longer avoid systems belonging to Russian users.
Source: Check Point
XProtect encryption
Apple’s XProtect is the malware detection technology built into macOS. It uses a set of rules, similar to antivirus signatures, to identify and block known malware.
The latest version of Banshee Stealer adopted a string encryption algorithm that XProtect itself uses to protect its data.
By scrambling its strings and only decrypting them during execution, Banshee can evade standard static detection methods.
It is also possible that macOS and third-party anti-malware tools treat the particular encryption technique with less suspicion, allowing Banshee to operate undetected for longer periods.
Stealing sensitive data
The latest Banshee stealer variant is primarily distributed via deceptive GitHub repositories targeting macOS users through software impersonation. The same operators also target Windows users, but with Lumma Stealer.
Source: Check Point
Check Point reports that while the Banshee malware-as-a-service operation has remained down since November, multiple phishing campaigns continued to distribute the malware since the source code leaked.
The infostealer targets data stored in popular browsers (e.g. Chrome, Brave, Edge, and Vivaldi), including passwords, two-factor authentication extensions, and cryptocurrency wallet extensions.
It also collects basic system and networking information about the host and serves victims deceptive login prompts to steal their macOS passwords.