The rise of macOS as a popular operating system has made it an increasingly attractive target for cybercriminals, and the emergence of the new Banshee macOS Stealer highlights just how real this threat has become.
First discovered in mid-2024, Banshee has quickly evolved into a significant danger, capable of stealing browser credentials, cryptocurrency wallet data, system passwords, and other sensitive information from Mac systems. A new version, first detected in September 2024 by Check Point Research, remained undetected for over two months by cleverly incorporating encryption algorithms from XProtect, Apple’s built-in antimalware tool, effectively disguising itself.
Distributed through phishing websites and fake GitHub repositories, Banshee often impersonates legitimate software like Google Chrome or Telegram to deceive users into downloading malicious files.
Once installed, the malware targets browsers such as Chrome and Brave, extracting credentials, cryptocurrency wallet information, and other critical data. It employs convincing fake system pop-ups to trick users into entering their macOS passwords and exfiltrates stolen information via encrypted channels.
With macOS usage exceeding 100 million users worldwide, Banshee is a reminder of the importance of threat awareness and effective cybersecurity protections in place, especially for macOS users who have historically faced fewer threats than their Windows counterparts. As cyberattacks grow more sophisticated, no platform is completely safe.
Why It Matters: The Banshee Stealer malware underscores the increasing risks posed by sophisticated malware targeting macOS systems, which have traditionally been considered secure. By exploiting Apple’s XProtect encryption to evade detection and using phishing campaigns and fake GitHub repositories to distribute malicious files, Banshee reveals vulnerabilities not only in technical defenses but also in user awareness. Its ability to steal sensitive data, including passwords, wallets, and two-factor authentication credentials, reinforces the growing need for proactive security measures as macOS adoption continues to expand globally.
- Evasion Through Apple’s XProtect Encryption: The latest Banshee version employs a string encryption algorithm stolen from Apple’s XProtect, effectively masking its malicious activity as legitimate system operations. This sophisticated technique helped it avoid detection for over two months.
- Phishing and GitHub Repository Distribution: Threat actors spread Banshee via fake GitHub repositories and phishing campaigns. These repositories mimicked legitimate software tools, such as Chrome and Telegram, with fake stars and reviews designed to lure unsuspecting users into downloading the malware.
- Data Exfiltration Capabilities: Once installed, Banshee targets multiple browsers, including Chrome and Brave, to extract sensitive information. It also exploits browser extensions for cryptocurrency wallets and two-factor authentication, capturing highly valuable credentials.
- Global Expansion of Targets: A previous version of the malware avoided attacking systems with Russian language settings. The latest variant removes this restriction, signaling an intent to cast a wider net of victims.
Go Deeper -> Cracking the Code: How Banshee Stealer Targets macOS Users – Check Point