This devious macOS malware is evading capture by using Apple's own encryption

Illustration of a laptop with a magnifying glass exposing a beetle on-screen

(Image credit: Shutterstock / Kanoktuch)

Security researchers from Check Point Research recently find new variant of Banshee malware
The new variant uses encryption that allows it to blend with regular macOS operations
The campaign went unabated for two months

Cybersecurity researchers from Check Point Research recently uncovered a new version of the Banshee infostealer, capable of bypassing Apple’s built-in malware protection to grab sensitive data.

Banshee is a macOS-focused malware which emerged in mid-2024, designed to extract sensitive information such as system details, browser data, and cryptocurrency wallet information. Initially sold as a stealer-as-a-service for $3,000 per month, its source code was leaked in November 2024, leading to its broader dissemination.

Despite the operation being shut down, Banshee continued to live, being both developed, and distributed, by various hacking collectives.

Distribution through GitHub

Now, the new version seems to be somewhat more dangerous, and is most likely built by a different threat actor. According to the researchers, Banshee now uses string encryption from Apple’s XProtect, allowing it to blend with normal device operations and avoid being detected. XProtect is macOS's built-in antivirus system that identifies and blocks known malware using regularly updated signature-based detection.

Furthermore, it no longer avoids Russian users, which could signal that it was built by a different team. This latest campaign seems to have started in September 2024, and continued unobserved for roughly two months.

While it is impossible to know exactly how many devices are infected with Banshee, we do know that it’s being distributed via GitHub repositories. Threat actors are impersonating legitimate software, and are betting on software developers being careless when downloading content from the open-source platform.

Check Point says that the same operators are also going after Windows users, but through Lumma Stealer, not Banshee. The researchers also stressed that macOS continues to gain popularity, thus becoming an increasingly attractive target.

“Despite its reputation as a secure operating system, the rise of sophisticated threats like the Banshee MacOS Stealer highlights the importance of vigilance and proactive cyber security measures,” they concluded.

Via BleepingComputer

This devious malware looked to exploit braille characters to breach Windows security flaws
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.