Cybersecurity researchers have uncovered a new, stealthier version of a macOS-focused information-stealing malware called Banshee Stealer.
“Once thought dormant after its source code leak in late 2024, this new iteration introduces advanced string encryption inspired by Apple’s XProtect,” Check Point Research said in a new analysis shared with The Hacker News. “This development allows it to bypass antivirus systems, posing a significant risk to over 100 million macOS users globally.”
The cybersecurity company said it detected the new version in late September 2024, with the malware distributed using phishing websites and fake GitHub repositories under the guise of popular software such as Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram.
Banshee Stealer was first documented in August 2024 by Elastic Security Labs. Offered under a malware-as-a-service (MaaS) model to other cybercriminals for $3,000 a month, it’s capable of harvesting data from web browsers, cryptocurrency wallets, and files matching specific extensions.
The malware operation suffered a setback in late November 2024 when its source code leaked online, prompting it to shut down their operations. However, Check Point said it has identified multiple campaigns still distributing the malware through phishing websites, although it’s currently not known if they are carried out by previous customers.
These campaigns target macOS users with Banshee while simultaneously targeting Windows users with another well-known stealer malware Lumma Stealer, suggesting that the cybercriminals are looking to compromise as many systems as possible.
The new variant is notable for removing a Russian language check used to prevent infections of Macs that had set Russian as the default system language. Dropping the feature alludes to the possibility that the threat actors are looking to cast a wider net of potential targets.
Another crucial update is the use of a string encryption algorithm from Apple’s XProtect antivirus engine to obfuscate the plaintext strings used in the original version of Banshee Stealer. This had the desired effect of lowering detection by antivirus engines for over two months.
“Modern malware campaigns are exploiting common human vulnerabilities, not just platform-specific flaws,” Eli Smadja, security research group manager at Check Point Research, said in a statement shared with The Hacker News. “MacOS, like any other OS, is exposed to these evolving threats, especially as cybercriminals employ advanced techniques like social engineering and fake software updates.”
The development comes as unsolicited messages on Discord are being used to propagate various stealer malware families such as Nova Stealer, Ageo Stealer, and Hexon Stealer under the pretext of testing out a new video game.
“One of the main interests for the stealers seem to be Discord credentials which can be used to expand the network of compromised accounts,” Malwarebytes said. “This also helps them because some of the stolen information includes friends accounts of the victims.”
