Recently examined were new iterations of the Banshee macOS Stealer prototype that managed to go unnoticed by most antivirus programs, as investigations unveiled that the malicious software utilized a distinctive string encryption method.
The encryption mechanism mirrored the one employed by Apple’s XProtect antivirus system for encrypting YARA regulations within its executables. By using this common encryption algorithm, Banshee obscured crucial strings, impeding immediate detection by security solutions.
“Given the increasing popularity of macOS, with a user base of over 100 million globally, it is now more appealing to cyber criminals,” mentioned researchers at Check Point.
Banshee represents a stealer malware that is focused on gathering user credentials, browser information, and cryptocurrency wallets by employing tactics to evade detection, such as forking and process creation.
It extracts data from different browsers and their extensions including Chrome, Brave, Edge, Vivaldi, Yandex, and Opera, specifically targeting certain cryptocurrency wallet extensions.
Subsequent to compressing the pilfered data, it undergoes XOR encryption with the campaign ID, followed by base64 encoding, before being sent to the command and control server.
The command & control server has evolved over various stages from being Django-based with a distinct admin panel to a solo FastAPI endpoint for bot communication. Presently, the server managing the admin panel is concealed behind Relay servers for enhanced stealth.
Check Point Research unearthed a fresh edition of the Banshee Stealer aimed at MacOS users, circulated through multiple phishing repositories camouflaged as cracked software.
These repositories were set up weeks ahead of the malware deployment, where the malware collects data and dispatches it to the command & control server. The newest campaign employs a phishing site to ensnare MacOS users and serves the malware disguised as a Telegram download.
An entity known as @kolosain initially marketed the Banshee macOS stealer for $2,999 on Telegram. Later on, it was made available as a service on XSS and Exploit forums for $1,500 monthly.
They also enlisted a limited group of proficient affiliates into a private network, proposing a profit-sharing scheme. Post a leakage of the original source code, they endeavored to vend the complete project, but eventually closed the service.
The leak caused a surge in the identification of antivirus programs, yet concurrently elevated the possibility of other actors crafting branches and fresh versions of the software.
An update to the Banshee macOS infostealer code, featuring string encryption, prevented detection by antivirus software for more than two months.
Cybercriminals, primarily focusing on Windows formerly, are now actively pursuing macOS using intricate malware, utilizing platforms like GitHub to propagate DMG files and unguarded archives.
This reinforces the significance of potent security solutions that are adaptable to evolving threats, including proactive threat intelligence, and prompt updates to operating systems and applications.
End users ought to sustain vigilance, exercise prudence with unsolicited communications, and prioritize cybersecurity training to mitigate the perils associated with such threats.
The article “100 Million macOS Users At Risk – New Banshee Malware Attacks Bypassing Apple’s XProtect” was originally published on Cyber Security News.