Check Point Research has identified a new version of the Banshee macOS stealer, a malware linked to Russian-speaking cyber criminals that targets macOS users. This updated version of the Banshee stealer uses the same string encryption algorithm as Apple's XProtect antivirus engine, allowing it to evade detection. The stealer operates as a 'stealer-as-a-service' and is used to steal browser credentials, cryptocurrency wallets, user passwords, and sensitive file data. It was initially distributed through malicious GitHub repositories and phishing websites which also targeted Windows users with Lumma Stealer.
The Banshee malware has seen a number of changes, with its original source code being leaked on underground forums, which ultimately led to the author shutting down their operations. Despite the shutdown, threat actors continue to distribute this new version of Banshee via phishing websites. The malware is designed to infiltrate macOS systems by using anti-analysis methods to evade debugging tools and antivirus engines by blending into legitimate processes. It has the ability to compromise cryptocurrency wallets, steal sensitive data, and deceive users with fake pop-ups to reveal their passwords.