How Banshee Stealer Exploits Apple XProtect Encryption. Here’s a Quick Look at What to Know

A new version of the Banshee info-stealing malware for macOS has been evading detection over the past two months by adopting string encryption from Apple’s XProtect. Banshee is an information stealer focused on macOS systems. It emerged in mid-2024 as a stealer-as-a-service available to cybercriminals for $3,000. Its source code was leaked on the XSS forums in November 2024, leading to the project shutting down for the public and creating an opportunity for other malware developers to improve on it.

Discovery and Implications

Check Point Research discovered one of the new variants. The encryption method present in Banshee allows it to blend in with normal operations and to appear legitimate while collecting sensitive information from infected hosts. Another change is that it no longer avoids systems belonging to Russian users. Apple’s XProtect is the malware detection technology built into macOS. It uses a set of rules, similar to antivirus signatures, to identify and block known malware.

Evasion Technique

The latest version of Banshee Stealer adopted a string encryption algorithm that XProtect itself uses to protect its data. By scrambling its strings and only decrypting them during execution, Banshee can evade standard static detection methods. It is also possible that macOS and third-party anti-malware tools treat the particular encryption technique with less suspicion, allowing Banshee to operate undetected for longer periods.

Distribution and Targeting

The latest Banshee stealer variant is primarily distributed via deceptive GitHub repositories targeting macOS users through software impersonation. The same operators also target Windows users, but with Lumma Stealer. Check Point reports that while the Banshee malware-as-a-service operation has remained down since November, multiple phishing campaigns continued to distribute the malware since the source code leaked.

Data Collection

Banshee targets data stored in popular browsers (e.g., Chrome, Brave, Edge, and Vivaldi), including passwords, two-factor authentication extensions, and cryptocurrency wallet extensions. It also collects basic system and networking information about the host and serves victims deceptive login prompts to steal their macOS passwords.

Conclusion

In conclusion, the Banshee Stealer’s use of Apple’s XProtect encryption algorithm highlights the evolving nature of cyber threats and the need for continuous vigilance and advanced cybersecurity measures. As macOS continues to gain popularity, it becomes an increasingly attractive target for cybercriminals. Users and businesses must remain proactive in safeguarding their data and systems against such sophisticated threats.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it