Banshee Stealer: A Stealthy macOS Information-Stealing Malware
Introduction
Cybersecurity researchers have uncovered a new, stealthier version of a macOS-focused information-stealing malware called Banshee Stealer. This malware is capable of harvesting data from web browsers, cryptocurrency wallets, and files matching specific extensions.
Background
Banshee Stealer was first documented in August 2024 by Elastic Security Labs. It is offered under a malware-as-a-service (MaaS) model to other cybercriminals for $3,000 a month. The malware operation suffered a setback in late November 2024 when its source code leaked online, prompting it to shut down its operations. However, Check Point said it has identified multiple campaigns still distributing the malware through phishing websites, although it’s currently not known if they are carried out by previous customers.
New Variant
The new variant of Banshee Stealer is notable for removing a Russian language check used to prevent infections of Macs that had set Russian as the default system language. Dropping the feature alludes to the possibility that the threat actors are looking to cast a wider net of potential targets.
Another crucial update is the use of a string encryption algorithm from Apple’s XProtect antivirus engine to obfuscate the plaintext strings used in the original version of Banshee Stealer. This had the desired effect of lowering detection by antivirus engines for over two months.
Targeting macOS Users
The new variant is designed to target macOS users with Banshee while simultaneously targeting Windows users with another well-known stealer malware, Lumma Stealer. This suggests that the cybercriminals are looking to compromise as many systems as possible.
Exploiting Human Vulnerabilities
Modern malware campaigns are exploiting common human vulnerabilities, not just platform-specific flaws. As Check Point Research’s Eli Smadja said, "MacOS, like any other OS, is exposed to these evolving threats, especially as cybercriminals employ advanced techniques like social engineering and fake software updates."
Propagation via Discord
The development comes as unsolicited messages on Discord are being used to propagate various stealer malware families such as Nova Stealer, Ageo Stealer, and Hexon Stealer under the pretext of testing out a new video game.
Stolen Information
One of the main interests for the stealers seem to be Discord credentials which can be used to expand the network of compromised accounts. This also helps them because some of the stolen information includes friends accounts of the victims.
Conclusion
The new variant of Banshee Stealer is a significant threat to macOS users, and it’s essential to stay vigilant and take necessary precautions to protect your systems and data.
Recommended Reading
- Check Point Research’s analysis on Banshee Stealer
- Malwarebytes’ article on the use of fake game sites to lead to information stealers
- Gartner’s endpoint protection guide
Follow Us
Share Your Thoughts
Found this article interesting? Share your thoughts and stay updated on the latest cybersecurity news.
Source Link
