The Banshee 2.0 malware, an infostealer targeting macOS, evades antivirus detection by employing an encryption mechanism drawn from Apple’s XProtect antivirus product. This variant has spread primarily through Russian cybercrime marketplaces since its introduction in July.
Banshee 2.0 malware uses Apple’s encryption to evade detection
Banshee 2.0 malware, priced at $1,500 as a “stealer-as-a-service,” is designed to steal credentials from various browsers including Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex, and Opera, alongside browser extensions for cryptocurrency wallets like Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus. It also gathers additional system information, such as software and hardware specifications, and the macOS password needed to unlock the system.
The initial version of Banshee was often detected by antivirus software due to its plaintext packaging. However, a more potent variant emerged on September 26, utilizing the same encryption algorithm as Apple’s Xprotect antivirus tool, allowing it to evade detection for nearly two months. Check Point Research found that while most antivirus solutions in VirusTotal flagged the initial, plaintext Banshee samples, the newly encrypted version went unnoticed by approximately 65 antivirus engines.
The source of the encryption technique remains unclear, though Check Point’s reverse engineer Antonis Terefos speculated that the malware author, known as “0xe1” or “kolosain,” might have reverse-engineered XProtect binaries or accessed relevant publications. This newfound encryption has enabled Banshee to conceal its functionality effectively.
“It could be that they performed a reverse engineering of the XProtect binaries, or even read relevant publications, but we can’t confirm it. Once the string encryption of macOS XProtect becomes known — meaning the way the antivirus is storing the YARA rules is reverse-engineered — threat actors can easily ‘reimplement’ the string encryption for malicious purposes,” Antonis Terefos, reverse engineer at Check Point Research, claims.
Campaigns and distribution methods
Since late September, Check Point Research has tracked over 26 campaigns utilizing Banshee, categorized into two main groups. The first group consisted of GitHub repository campaigns that thrived from mid-October to early November, promoting cracked versions of popular software alongside the Banshee malware hidden under generic filenames like “Setup,” “Installer,” and “Update.” These repositories also targeted Windows users with the Lumma Stealer.
The second category involved phishing sites where attackers disguised Banshee 2.0 as popular software, including Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram. Users on macOS were directed to download links for the malicious payload.
On November 23, the source code for Banshee was leaked on the Russian dark web forum XSS, prompting its author to cease operations. Despite the leak, Check Point continues to observe ongoing campaigns distributing Banshee through phishing methods masquerading as legitimate software, emphasizing the malware’s continuing threat to macOS users.
Banshee 2.0 malware’s success illustrates the evolving landscape of cybersecurity threats targeting macOS, underscoring the necessity for users to maintain vigilance against potential malware and phishing attacks as they increasingly become targets of sophisticated cybercriminal tactics.
Featured image credit: Kerem Gülen/Midjourney
