Summary The new Banshee macOS Stealer variant uses a stolen encryption algorithm to evade detection, which makes it harder for antivirus software to detect.

This malware targets macOS users through phishing sites and GitHub repositories by disguising itself as popular software.

It's crucial to take precautionary measures in advance to prevent falling victim to such attacks.

While it's long been believed that Windows devices are more susceptible to malware and viruses, this doesn't mean that Apple devices are strangers to such threats. In fact, as macOS's user base grows rapidly, the operating system is becoming an increasingly popular target for malware attacks.

According to security researchers at Check Point Research (CPR), a new iteration of the Banshee macOS Stealer has emerged, capable of extracting sensitive information like system passwords, browser credentials, and cryptocurrency wallets.

New Banshee macOS Stealer variant blends seamlessly into the system

The Banshee macOS Stealer first caught the public eye in mid-2024, advertised as a "stealer-as-a-service" on platforms like Telegram. Check Point researchers reported that cybercriminals could purchase the malware for $3,000, with the aim of targeting macOS users.

The malware's latest iteration was discovered in September 2024, but there was a twist. The developers had stolen a string encryption algorithm from Apple's XProtect antivirus, which likely helped it remain undetected by antivirus engines for over two months. Although the service was eventually shut down after the malware’s source code leaked on the dark web, the damage had already been done during its undetected run.

The malware, often disguised as well-known software like Google Chrome, Telegram, and TradingView, was distributed through phishing websites and malicious GitHub repositories. Once it made its way onto a Mac, it blended seamlessly into the system, making detection incredibly difficult — even for seasoned IT professionals.

The malware uses pop-ups that mimic system prompts to trick macOS users into entering their system passwords. It targets browsers like Chrome and Brave, along with browser extensions for cryptocurrency wallets. In addition to exploiting Two-Factor Authentication (2FA) to steal sensitive credentials, Banshee Stealer also collects details like external IP addresses.

Always stay vigilant

When the malware's source code was leaked on underground forums, antivirus software makers were undoubtedly given the perfect opportunity to study its tactics and take notes on how to better detect and counteract similar threats in the future. However, the leak also exposed the malware’s inner workings, serving as a wake-up call about the potential for new variants to be developed by other cybercriminals.

To stay protected from such attacks in the future, it's crucial to take precautionary measures now, no matter how secure you think your Mac is. In addition to enabling the various security features all Apple users should be using, always double-check before downloading software from unverified sources. Apple also regularly releases software updates with security patches to address known threats, so it’s always a good idea to keep your Mac updated to the latest macOS version!