by Banshee, a macOS stealer linked to the Russian cybercriminal industry, has resurfaced with a dangerous update that builds on Apple’s built-in anti-malware technology, making it difficult to detect and efficient in digital heists. The stealer has been continuously developed, leaked, reverse-engineered, and resurfaced with impressive capabilities.
Additionally, the developers of this stealer are expanding their business. In January 2025, they reduced the cost of the malware from $3,000 the previous year to just $1,500.
Researchers from Check Point published the results of their analysis of the updated Banshee on January 9. They clarify that for the last two months, security providers had been oblivious to this new Banshee version.
Techopedia interviews professionals and Apple anti-malware companies while examining Banshee’s features and how it makes use of Apple’s XProtect encryption.
The New Banshee on a Mac Can Do This
The latest Banshee virus is fully functioning and capable of stealing passwords and data from a variety of browsers, including Yandex, Opera, Vivaldi, Edge, Brave, and Chrome.
Additionally, the hacker targets crypto wallets like Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger, as well as multi-factor authentication (MFA) extensions.
However, Banshee doesn’t end there. Additionally, it pilfers system data, such as IP external addresses and the hardware and applications that are operating on the compromised computers. It can even employ phony Mac system pop-up notifications to fool users into disclosing their MacOS password.
Researchers at Check Point discovered that Banshee, a malware, was identified after a recent leak of its source code on XXS Forums. The updated version of Banshee evaded detection by most antivirus engines for over two months.
The Check Point report reveals that after the source code was leaked, the Banshee stealer-as-a-service operation was shut down, but this was seen as a distraction as the criminal gang continued distribution via phishing websites.
How Is Apple’s XProtect Anti-Virus Used by Banshee?
One of Apple’s primary cybersecurity technologies is XProtect. All Macs come with it, and it’s used to find malware. Similar to antivirus signatures, XProtect employs rules.
When security researchers find new malware in the field, they develop these guidelines, sometimes known as “YARA rules.” These guidelines are used by businesses such as Apple to detect new malware and stop it from operating. Of course, thieves and cybersecurity specialists are engaged in a never-ending game of cat and mouse.
Researchers at Check Point discovered that Banshee uses the same encryption method used by Apple for string encryption in its antivirus engine, XProtect, which they initially used to develop a YARA rule for the antivirus system.
Banshee, a malware, can use Apple’s XProtect encryption to scramble its strings and decrypt them during execution, bypassing standard static detection methods. However, malware authors closely monitor these rules, allowing them to adapt and evade detection in future iterations using creative methods, according to Jaron Bradley, Director of Threat Labs at Jamf.
Banshee, a malware variant, may confuse users with Apple’s legitimate XProtect operations on Macs, according to Ngoc Bui, a cybersecurity expert from Menlo Security, a browser cybersecurity company, and Techopedia, a cybersecurity company providing software for Apple users.
Malicious GitHub repositories are used to distribute Banshee. This malware is frequently used in criminal campaigns in conjunction with the Windows-targeting Lumma Stealer. This enables them to make phony webpages and compromise victims’ operating systems.
Ways to Protect Your Mac from Banshee
Banshee, despite its advanced engineering, relies on social engineering, requiring users to click on suspicious links, navigate to fake software download sites, and download the malware themselves, making understanding its workings crucial for online file safety.
Updating your Mac is crucial as cybersecurity researchers constantly discover new malware and create security rules. These rules are integrated into XProtect, which detects dangerous activity on Apple devices. It’s recommended that security teams, experts, and developers review the full Check Point report, which includes a detailed technical analysis and indicators of compromise.
The Bottom Line
In 2024, banshee was already an issue. Its attack success rates have increased with this latest edition. This malware’s ongoing development and dissemination point to a highly skilled and well-funded criminal-as-a-service gang.
Apple no longer has a reputation for being resistant to security threats. As businesses all around the world embrace Apple settings, hackers are actively creating a new generation of MacOS thieves.
