A new, advanced version of the Banshee Stealer malware has been discovered, targeting over 100 million macOS users globally. The malware, which was previously thought to be dormant after its source code leak in late 2024, has introduced a stealthier approach inspired by Apple’s XProtect.
The researchers at Check Point Research detected the new iteration in late September 2024 and found that it uses advanced string encryption to evade antivirus systems. This allows the malware to bypass security measures and pose a significant risk to users.
Banshee Stealer was first documented in August 2024 by Elastic Security Labs and is offered as a malware-as-a-service model for $3,000 a month. The malware is capable of harvesting data from web browsers, cryptocurrency wallets, and files with specific extensions.
The new variant has removed a Russian language check that prevented infections on Macs set to Russian, suggesting the threat actors are expanding their target scope. It also uses a string encryption algorithm from Apple’s XProtect antivirus engine to obfuscate plaintext strings, making it harder for antivirus engines to detect.
According to Eli Smadja, security research group manager at Check Point Research, “Modern malware campaigns are exploiting common human vulnerabilities, not just platform-specific flaws.” This new variant is no exception, using social engineering tactics and fake software updates to spread.
The development comes as unsolicited messages on Discord are being used to propagate stealer malware families. The main interest of these stealers appears to be Discord credentials, which can expand the network of compromised accounts and provide valuable stolen information, including friends’ accounts of the victims.
Source: https://thehackernews.com/2025/01/new-banshee-stealer-variant-bypasses.html