The Banshee Stealer is a stealthy threat to the rising number of macOS users around the world, including those in Russian-speaking countries, according to Check Point researcher Antonis Terefos.
Banshee Stealer was first publicly profiled in August 2024, a month after its developer began selling it as-a-Service for the high price of $3,000 per month.
The malware is capable of functioning across both macOS x86_64 and ARM64 architectures, and can capture / steal credentials and cookies stored by popular browsers and browser extensions for cryptocurrency wallets and 2-factor authentication, as well as users’ macOS password so it can grab sensitive data stored in the system’s Keychain.
Initially, the malware was made to avoid infecting systems where Russian is the primary language, but according to Terefos, there’s a variant without the Russian language check is now also being pushed to prospective victims.
Malware evolution and source code leak
“Through July to November, Banshee’s author operated a stealer-as-a-service on Telegram and on dark web forums such as XSS and Exploit and continued to improve the malware. During this time, the author hired two members to carry out campaigns targeting macOS users,” he explained.
But then the malware’s source code was leaked online in late November, and the individual or group behind it shut down their operations.
Before that, the developer increased the stealer’s stealthiness by introducing string encryption used by XProtect, macOS’s signature-based anti-malware engine that spots known malware and variants. And the trick worked for a over two months – until the source code leak led to better detection by antivirus engines.
“Threat actors distributed this new version mainly via phishing websites and malicious GitHub repositories. In some GitHub campaigns, threat actors targeted both Windows and macOS users with Lumma and Banshee Stealer,” Terefos says.
But even after the leak, the threat persists: Check Point has identified multiple campaigns still distributing the malware through phishing websites, ostensibly offering popular software (Telegram, TradingView, Parallels, etc.) for download.
Phishing site targeting macOS (Source: Check Point Research)
“How a victim arrives at the phishing website is currently unclear; however, users seeking to download cracked or tools from illegitimate sources are the target of such attacks. Similar phishing websites have been found distributing constantly updated .dmg files,” Terefos added.
“It is unclear whether the remaining campaigns originate from previous customers or if the creator of Banshee is continuously updating the source code and using the malware as part of the private group hired in XSS to conduct macOS campaigns.”
But with the source code leaked, the fear is that other malware developers will base new macOS stealers on Banshee. With over 100 million macOS users out there, the pool of prospective targets is considerable and certainly enticing.
