New Banshee Malware Targeting macOS Users Remained Undetected for Months

Check Point Research (CPR) has uncovered a sophisticated new version of the Banshee macOS Stealer malware, capable of stealing browser credentials, cryptocurrency wallets, and other sensitive data. This latest version, undetected for over two months, raises alarms for macOS users worldwide.

macOS has long been seen as a secure platform, but with over 100 million users globally, it is attracting the attention of cyber crooks. Banshee Stealer rearing its ugly head highlights the growing risks to macOS users and the need for better cybersecurity measures to protect these devices.

The malware’s obfuscation abilities are next level – it blends seamlessly with system processes, making detection challenging even for experienced security practitioners. Its capabilities include stealing browser credentials, cryptocurrency wallet information, system data, and sensitive files. It can exploit two-factor authentication extensions, too.

How Banshee Evaded Detection

First identified in mid-2024 as a “stealer-as-a-service” offered on underground forums for $3,000, Banshee gained notoriety by targeting macOS users. By late September, a new version of the malware was seen using a string encryption algorithm taken from Apple’s XProtect antivirus engine—an update that likely allowed it to fly under the radar for months.

Threat actors distributed Banshee through phishing websites and fake GitHub repositories, impersonating popular software tools like Chrome and Telegram. These repositories seemed legitimate, complete with stars and reviews to fuel trust.

Expanding Its Reach

One key update to the malware removed a Russian language check present in earlier versions, broadening its potential target pool. This development indicates a shift in cybercriminal strategies to cast their nets wider, making vigilance vital for users and businesses.

In November 2024, Banshee’s source code was leaked on an underground forum. While this led to better detection rates by antivirus engines, it also raised red flags about new variants being developed by other malefactors.

How Banshee Operates

Banshee’s sophisticated functionality includes:

• Data theft: Exfiltrating information from browsers, cryptocurrency wallet extensions, and macOS passwords.
• User deception: Using convincing pop-ups that ape legitimate system prompts to steal credentials.
• Detection evasion: Deploying anti-analysis techniques to avoid debugging tools and antivirus software.
• Data exfiltration: Sending stolen data to command-and-control servers via encrypted files.

Unfortunately, macOS users weren’t the only sufferers. Banshee campaigns deployed malware targeting Windows systems simultaneously. Over several waves, malicious GitHub repositories impersonated popular software to lure users into downloading the malware.

The Implications for Cybersecurity

The rise of this type of threat sends the message that no operating system is immune to sophisticated attacks, and users need to shake off any false sense of security. As macOS gains market share, its users must invest in robust solutions and adopt proactive cybersecurity measures to stay protected.

Check Point Research recommends increased vigilance, robust endpoint protection, and regular software updates to limit risks.

Get Rid of Legacy Assumptions

James Scobey, Chief Information Security Officer at Keeper Security, says Banshee Stealer is a clear indicator of the evolving threats targeting macOS systems, which are traditionally viewed as more secure than their PC counterparts and less susceptible to malware and viruses. “As attackers refine their techniques, including leveraging encryption methods inspired by native security tools, it’s evident that businesses can no longer rely on legacy assumptions about platform security. Sophisticated malware like Banshee Stealer can bypass traditional defenses, capitalizing on stolen credentials and user errors.”

Scobey believes Privileged Access Management (PAM) is no longer a ‘nice-to-have’ – it’s an essential pillar of modern cybersecurity.” By restricting access and ensuring that elevated permissions are granted only when necessary, PAM significantly reduces the attack surface for threats like Banshee. Combined with endpoint protection and robust password management, it creates a formidable barrier against such exploits. The time has come for businesses to shift from reactive to proactive security strategies. Malware like Banshee thrives on gaps in vigilance and access controls. By prioritizing advanced tools, user education, and layered defenses, organizations can stay ahead in the race against evolving cyber threats.”

A Shift for macOS users

“The return of Banshee Stealer malware, which has improved its capability to evade antivirus software and steal confidential data, represents a significant risk for organizations using macOS devices,” adds Eric Schwake, Director of Cybersecurity Strategy at Salt Security. “This malware is designed to attack browsers, cryptocurrency wallets, and user files, reflecting the rising sophistication of threats to macOS users.”

Despite the common belief that Macs offer greater security, Schwake says this incident highlights how organizations must adopt strong security measures across all devices, independent of their operating systems. This entails implementing endpoint security solutions, enforcing strict password policies, educating staff about phishing and malware risks, and ensuring all software is regularly updated with the latest security patches. “By adopting a proactive stance on macOS security, organizations can lessen the risk from evolving threats like Banshee Stealer and safeguard their essential data and resources.”