Researchers analyzed new versions of the Banshee macOS Stealer sample that initially evaded detection by most antivirus engines, as analysis revealed that the malware employed a unique string encryption technique.
The encryption method was identical to that used by Apple’s XProtect antivirus engine for encrypting YARA rules within its binaries. By leveraging this shared encryption algorithm, Banshee obfuscated critical strings, hindering immediate detection by security solutions.
“As macOS continues to gain popularity, with over 100 million users globally, it’s becoming an increasingly attractive target for cyber criminals,” Check Point researchers added.
Banshee is a stealer malware that targets user credentials, browser data, and crypto wallets by using anti-analysis techniques to avoid detection, such as forking and process creation.
It steals information from various browsers and browser extensions, including Chrome, Brave, Edge, Vivaldi, Yandex, and Opera, while it also targets specific crypto wallet extensions.
Following the compression of the stolen data, it is XOR encrypted with the campaign ID, base64 encoded, and then it is exfiltrated to the command and control server.
The C&C server has gone through multiple iterations from a Django-based server with a separate admin panel to a single FastAPI endpoint for bot communication. Currently, the server hosting the admin panel is hidden behind Relay servers for increased stealth.