The macOS infostealer “Banshee” has been making waves as it skates past antivirus programs by utilizing a string encryption algorithm it pilfered from Apple. This malicious software has been on the move since July, predominantly spreading through Russian cybercrime marketplaces where it was available for purchase as a “stealer-as-a-service” for Macs at the hefty price of $1,500. The primary goal of Banshee is to steal credentials from a variety of browsers including Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex, and Opera, as well as browser extensions associated with cryptocurrency wallets such as Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus. Additionally, Banshee collects information about targeted systems, including software and hardware specifications and the necessary password to unlock the system.
Initially, Banshee was easily detectable by antivirus programs due to its plaintext packaging. However, a more sophisticated variant emerged on Sept. 26, which managed to evade detection for an extended period by leveraging the same encryption algorithm used by Apple’s Xprotect antivirus tool for macOS. Xprotect is Apple’s long-standing anti-malware engine for macOS that uses various techniques, including YARA rules, to identify and block malicious software. Check Point researchers uncovered that the encryption algorithm safeguarding XProtect’s YARA rules also concealed the more potent variant of Banshee.
The mysterious malware author, known as “0xe1” or “kolosain,” somehow obtained access to this encryption algorithm, although the exact method remains unclear. It is speculated that reverse engineering of XProtect binaries or sourcing information from relevant publications may have been employed. Once the string encryption method of macOS XProtect is deciphered, threat actors can easily adapt it for malicious purposes, as explained by Antonis Terefos, a reverse engineer at Check Point Research. This novel string encryption allowed the upgraded Banshee variant to evade detection by the vast majority of antivirus engines on VirusTotal.
Despite its successful evasion tactics, Banshee faced a setback when its source code was leaked on the Russian cybercrime forum “XSS” on Nov. 23. In response, the malware’s developer shut down the malware-as-a-service (MaaS) operation, and antivirus vendors promptly incorporated associated YARA rules. Nonetheless, the encrypted Banshee variant managed to elude most antivirus engines on VirusTotal even after these developments.
In the realm of cyberattacks, Banshee has been the focal point of more than 26 campaigns identified by Check Point since late September. These campaigns can be broadly categorized into two clusters. In one set of campaigns, spread over three waves from mid-October to early November, Banshee was disseminated via GitHub repositories offering cracked versions of popular software under generic file names such as “Setup,” “Installer,” and “Update.” Another cluster of campaigns targeted macOS users through phishing sites disguising Banshee as common software programs like Google Chrome, TradingView, and Telegram.
As the leaked source code may lead to new campaigns, Terefos emphasizes the significance of vigilance for macOS users in the face of evolving threats. Despite macOS’s reputation for security, the success of Banshee underscores the importance of staying informed and cautious to safeguard against potential cyber threats.