Pierluigi Paganini January 10, 2025

Experts found a new version of the Banshee macOS information stealer which was enhanced with new evasion mechanisms.

Check Point researchers discovered a new version of the Banshee macOS infostealer which is distributed through phishing websites and fake GitHub repositories, often masqueraded as popular software.

In August 2024, Russian crooks advertised a macOS malware called BANSHEE Stealer that can target both x86_64 and ARM64 architectures. The malware authors claimed it can steal a broad range of data from compromised systems, including browser data, cryptocurrency wallets, and around 100 browser extensions.

The first version of BANSHEE Stealer employed basic evasion techniques and relied on the sysctl API to detect debugging and checks for virtualization by running a command to see if “Virtual” appears in the hardware model identifier. Additionally, the malware was avoiding targeting systems where Russian is the primary language.

Researchers at Elastic Security Labs who first analyzed the malware confirmed it can steal keychain passwords and data from multiple browsers.

Banshee Stealer can target data from nine different browsers, Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari. The malware can collect cookies, logins and browsing history, but from Safari only cookies can be collected. Elastic researchers noticed that regarding Safari, only the cookies are collected by the AppleScript script for the current version.

The malicious code was advertised on cybercrime forums for $3,000 per month.

A version discovered by Check Point in September relied on Apple’s XProtect encryption algorithm for obfuscation, allowing it to evade antivirus detection until its source code leak in November.

On November 2024, the operators behind the MaaS shut down their operations and leaked the Banshee’s source online, researchers at VXunderground reported.

VXunderground archived the leak and published it on GitHub.

An important update to the latest version analyzed by Check Point doesn’t include the Russian language check, expanding the malware’s potential targets.

“One notable update in the latest version of Banshee is the removal of its Russian language check. Previous malware versions terminated operations if they detected the Russian language, likely to avoid targeting specific regions.” reads the report published by Check Point. “Removing this feature indicates an expansion in the malware’s potential targets.”

To mitigate threats like Banshee Stealer, experts recommend keeping operating systems and applications updated, avoiding interacting with suspicious emails or links, and prioritizing cybersecurity awareness among employees.

The report includes Indicators of Compromise (IoCs) for this new variant.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Banshee Stealer)