Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI toolsNEW
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI toolsNEW
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Banshee 2.0 malware targets macOS users and it’s hard to spot

Banshee 2.0 malware, priced at $1,500 as a "stealer-as-a-service," is designed to steal credentials from various browsers including Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex, and Opera, alongside browser extensions for cryptocurrency wallets like Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus

byKerem Gülen
January 10, 2025
in Cybersecurity, News
Home News Cybersecurity
Share on FacebookShare on TwitterShare on LinkedInShare on WhatsAppShare on e-mail
Google Preferred Source

The Banshee 2.0 malware, an infostealer targeting macOS, evades antivirus detection by employing an encryption mechanism drawn from Apple’s XProtect antivirus product. This variant has spread primarily through Russian cybercrime marketplaces since its introduction in July.

Banshee 2.0 malware uses Apple’s encryption to evade detection

Banshee 2.0 malware, priced at $1,500 as a “stealer-as-a-service,” is designed to steal credentials from various browsers including Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex, and Opera, alongside browser extensions for cryptocurrency wallets like Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus. It also gathers additional system information, such as software and hardware specifications, and the macOS password needed to unlock the system.

The initial version of Banshee was often detected by antivirus software due to its plaintext packaging. However, a more potent variant emerged on September 26, utilizing the same encryption algorithm as Apple’s Xprotect antivirus tool, allowing it to evade detection for nearly two months. Check Point Research found that while most antivirus solutions in VirusTotal flagged the initial, plaintext Banshee samples, the newly encrypted version went unnoticed by approximately 65 antivirus engines.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

The source of the encryption technique remains unclear, though Check Point’s reverse engineer Antonis Terefos speculated that the malware author, known as “0xe1” or “kolosain,” might have reverse-engineered XProtect binaries or accessed relevant publications. This newfound encryption has enabled Banshee to conceal its functionality effectively.

“It could be that they performed a reverse engineering of the XProtect binaries, or even read relevant publications, but we can’t confirm it. Once the string encryption of macOS XProtect becomes known — meaning the way the antivirus is storing the YARA rules is reverse-engineered — threat actors can easily ‘reimplement’ the string encryption for malicious purposes,” Antonis Terefos, reverse engineer at Check Point Research, claims.

Campaigns and distribution methods

Since late September, Check Point Research has tracked over 26 campaigns utilizing Banshee, categorized into two main groups. The first group consisted of GitHub repository campaigns that thrived from mid-October to early November, promoting cracked versions of popular software alongside the Banshee malware hidden under generic filenames like “Setup,” “Installer,” and “Update.” These repositories also targeted Windows users with the Lumma Stealer.

The second category involved phishing sites where attackers disguised Banshee 2.0 as popular software, including Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram. Users on macOS were directed to download links for the malicious payload.

On November 23, the source code for Banshee was leaked on the Russian dark web forum XSS, prompting its author to cease operations. Despite the leak, Check Point continues to observe ongoing campaigns distributing Banshee through phishing methods masquerading as legitimate software, emphasizing the malware’s continuing threat to macOS users.

Banshee 2.0 malware’s success illustrates the evolving landscape of cybersecurity threats targeting macOS, underscoring the necessity for users to maintain vigilance against potential malware and phishing attacks as they increasingly become targets of sophisticated cybercriminal tactics.


Featured image credit: Kerem Gülen/Midjourney

Tags: CybersecurityMalware

Related Posts

OpenAI retires Atlas browser to focus on new ChatGPT superapp

OpenAI retires Atlas browser to focus on new ChatGPT superapp

July 14, 2026
Microsoft tests Copilot’s new PC insights feature in Windows 11

Microsoft tests Copilot’s new PC insights feature in Windows 11

July 14, 2026
Xiaomi unveils SkyNomad N90 range-extender SUV

Xiaomi unveils SkyNomad N90 range-extender SUV

July 14, 2026
X algorithm update aims to make replies feel friendlier

X algorithm update aims to make replies feel friendlier

July 14, 2026
Windows 11 Search Box gets less clutter and more control

Windows 11 Search Box gets less clutter and more control

July 14, 2026
Pixel 11 leak shows bold magenta and peach colors

Pixel 11 leak shows bold magenta and peach colors

July 14, 2026

LATEST NEWS

OpenAI retires Atlas browser to focus on new ChatGPT superapp

Microsoft tests Copilot’s new PC insights feature in Windows 11

Xiaomi unveils SkyNomad N90 range-extender SUV

X algorithm update aims to make replies feel friendlier

Windows 11 Search Box gets less clutter and more control

Pixel 11 leak shows bold magenta and peach colors

BEST AI MODELS LEADERBOARD

See the best AI models, ranked by intelligence, benchmark results, speed and token price. Find the most suitable LLMs, Text-to-Image, Image Editing, Text-to-Speech, Text-to-Video and Image-to-Video  artificial intelligence model for your tasks and business.

LATEST TOOLS

Mootion

Legacy AI

Copyseeker

ProPhotos

Kuki AI

Create

RemodelAI

AItwitch

Vadoo AI

Greptile AI

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI tools
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies to improve your experience. You can choose to accept or reject them. Visit our Privacy Policy.