A new “invisible” version of the dangerous Banshee Stealer malware threatens millions of macOS users

Virus descriptions, 10.01.2025, 14:00 PM

Cyber ​​security researchers from the company Check Point have discovered a new version of a macOS data-stealing malware called Banshee Stealer, which was thought to be dormant after the source code was leaked in late 2024. However, Check Point Research found that the new version of the malware, inspired by Apple’s XProtect encryption, is more invisible and sophisticated than the previous one. This allows malware to bypass antivirus systems, posing a significant risk to more than 100 million macOS users worldwide.

Check Point said their researchers discovered the new version in late September 2024, as malware distributed via phishing websites and fake GitHub repositories masquerading as popular software such as Google Chrome, Telegram and TradingView.

Banshee Stealer was first documented in August 2024, when Elastic Security Labs discovered that stealer-as-a-service malware was being sold to hacker forums, such as XSS and Exploit, but also through Telegram, for $3,000 per month, and that the malware was capable of collecting data from web browsers and wallets for cryptocurrencies, but also files with certain extensions.

However, in late November 2024, the malware’s source code was leaked on an XSS forum, which led to the shutdown of the malware’s operations. However, Check Point said it has discovered multiple campaigns that continue to distribute malware via phishing websites, although it is currently unknown whether they are carried out by previous or new users.

These campaigns target macOS users with Banshee Stealer, but also Windows users with another well-known malware, Lumma Stealer.

The new variant does not have the Russian language checker used to prevent infections of Macs with Russian as the default system language. Abandoning this feature indicates the possibility that cybercriminals want to increase the number of potential targets.

When Banshee Stealer infects a system, it steals system data, targeting web browsers such as Chrome, Brave, Edge, and Vivaldi, along with browser extensions for crypto wallets. The malware exploits the web browser’s 2FA extension to steal sensitive data, collecting software and hardware details, external IP addresses, and macOS passwords. Banshee uses convincing pop-ups designed to look like legitimate system prompts to trick users into entering their macOS passwords. It also uses anti-analysis techniques to avoid debugging tools and anti-virus mechanisms.

Malware sends stolen information to command and control servers via encrypted and coded files.

Despite macOS’s reputation as a secure operating system, the rise of sophisticated threats like Banshee MacOS Stealer serves as a reminder that no operating system is immune to threats.

Photo: Gabriela Gonzalez | Unsplash