HQ/EMEAFind out how we can help your business
A more elusive variant of the Banshee Stealer has emerged after recent research uncovered one of its operations that targets macOS devices.
According to reports, the new strain incorporates enhanced string encryption influenced by Apple’s XProtect. This upgrade enables malware operators to bypass antivirus programs, putting over 100 million macOS users in danger worldwide.
The researchers claimed that they initially discovered the new malware strain in September 2024. The variant allegedly propagated through phishing websites and bogus GitHub repositories posing as major software like Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram.
The Banshee Stealer malware could collect various types of information.
Investigations initially documented Banshee Stealer in August last year. Reports stated that it can harvest data from web browsers, crypto wallets, and files with specified extensions and is available to other hackers on a malware-as-a-service (MaaS).
This infostealer can be purchased by other malicious entities by renting it for $3,000 per month. However, the malware operation experienced a setback in late November 2024 when its source code was exposed publicly, forcing it to take a hiatus.
Still, researchers have spotted multiple efforts to continue distributing the virus via phishing websites, but it is unclear whether prior clients carry them out.
These recent efforts use Banshee to target macOS users while also targeting Windows users with another notorious infostealer software dubbed Lumma Stealer, showing that the fraudsters want to corrupt as many systems as possible.
The updated variation is significant for deleting a Russian language check, which was used to prevent infections on Macs with Russian as the default system language. Dropping the characteristic suggests that the threat actors attempt to cast a larger net of potential targets.
Another significant improvement is including a string encryption method from Apple’s XProtect AV engine to disguise the plaintext strings used in the original Banshee Stealer. This tactic mitigated detection by antivirus engines for at least two months.
These discoveries come after malicious individuals used various unsolicited Discord messages to disseminate numerous stealer malware families under the guise of testing a new video game.
The public should avoid downloading software solutions without proper verification of their legitimacy to prevent suffering from the spree of malicious stealers that roam around the cybercriminal landscape.
