Researchers analyzed new versions of the Banshee macOS Stealer sample that initially evaded detection by most antivirus engines, as analysis revealed that the malware employed a unique string encryption technique.
The encryption method was identical to that used by Apple’s XProtect antivirus engine for encrypting YARA rules within its binaries. By leveraging this shared encryption algorithm, Banshee obfuscated critical strings, hindering immediate detection by security solutions.
“As macOS continues to gain popularity, with over 100 million users globally, it’s becoming an increasingly attractive target for cyber criminals,” Check Point researchers added.
Banshee is a stealer malware that targets user credentials, browser data, and crypto wallets by using anti-analysis techniques to avoid detection, such as forking and process creation.
It steals information from various browsers and browser extensions, including Chrome, Brave, Edge, Vivaldi, Yandex, and Opera, while it also targets specific crypto wallet extensions.
Following the compression of the stolen data, it is XOR encrypted with the campaign ID, base64 encoded, and then it is exfiltrated to the command and control server.
The C&C server has gone through multiple iterations from a Django-based server with a separate admin panel to a single FastAPI endpoint for bot communication. Currently, the server hosting the admin panel is hidden behind Relay servers for increased stealth.
Check Point Research discovered a new version of Banshee Stealer targeting MacOS users that was distributed through multiple phishing repositories that pretended to offer cracked software.
The repositories were created weeks before malware was pushed and the malware steals data and sends it to the C&C server. The latest campaign uses a phishing website to target MacOS users and delivers the malware disguised as a Telegram download.
A threat actor known as @kolosain initially sold the Banshee macOS stealer for $2,999 on Telegram. Subsequently, they offered it as a service on XSS and Exploit forums for $1,500 per month.
The actor then recruited a limited number of skilled affiliates for a private group, offering a profit-sharing model. Following a leak of the original source code, the actor attempted to sell the entire project before closing the service.
The leak resulted in an increase in the detection of antivirus software, but it also increased the likelihood that other actors would develop forks and new variants of the software.
A recent code update to the Banshee macOS infostealer, which involved string encryption, managed to avoid detection by antivirus software for more than two months.
Malicious actors, previously focused on Windows, are now actively targeting macOS with sophisticated malware, leveraging platforms like GitHub to distribute DMG files and unprotected archives.
It emphasizes the need for robust security solutions that can adapt to evolving threats, including proactive threat intelligence and timely updates to operating systems and applications.
Users must remain vigilant, exercise caution with unexpected communications, and prioritize cybersecurity awareness training to mitigate the risks associated with these threats.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free