MacOS Infostealer "Banshee" Spotted Using Stolen Encryption Algorithm

The MacOS infostealer "Banshee" has been detected by antivirus programs using a string encryption algorithm it stole from Apple. Banshee has been spreading since July, primarily via Russian cybercrime marketplaces, where it was sold as a $1,500 "stealer-as-a-service" for Macs. It’s designed to steal credentials from browsers such as Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex, and Opera, and browser extensions associated with cryptocurrency wallets like Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus. Additionally, it lifts information about targeted systems, including software and hardware specifications, and the password needed to unlock the system.

Banshee’s Detection and Spread

It was far from a perfect tool, widely detected by antivirus programs, thanks in part to its being packaged entirely in plaintext. However, in three waves of campaigns lasting from mid-October to early November, threat actors spread the infostealer via GitHub repositories. The repositories promised users cracked versions of popular software, like Adobe programs and various image and video editing tools. The malware was concealed behind generic file names such as "Setup," "Installer," and "Update." This same cluster of activity also targeted Windows users with the popular Lumma Stealer.

Phishing Campaigns and Leaked Banshee

The remaining campaigns spread Banshee via phishing sites, of one form or another. In these cases, the attackers disguised the malware as various popular software programs, including Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram. If a visitor was using macOS, they’d get a download link. More, varying campaigns could be on the way, now that Banshee has been leaked. Thus, Terefos says, "Despite macOS traditionally being regarded as more secure, Banshee’s success demonstrates the importance for macOS users to remain vigilant and aware of the threats."