{"id":1506,"date":"2025-01-13T10:53:02","date_gmt":"2025-01-13T10:53:02","guid":{"rendered":"https:\/\/www.tsfactory.com\/forums\/?p=1506"},"modified":"2025-01-13T10:53:02","modified_gmt":"2025-01-13T10:53:02","slug":"100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect","status":"publish","type":"post","link":"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/","title":{"rendered":"100 Million macOS Users At Risk \u2013 New Banshee Malware Attacks Bypassing Apple\u2019s XProtect"},"content":{"rendered":"<p>Researchers analyzed new versions of the Banshee\u00a0<a href=\"https:\/\/cybersecuritynews.com\/new-banshee-macos-stealer\/\" target=\"_blank\" rel=\"noreferrer noopener\">macOS Stealer<\/a>\u00a0sample that initially evaded detection by most antivirus engines, as analysis revealed that the malware employed a unique string encryption technique.<\/p>\n<p>The encryption method was identical to that used by Apple\u2019s XProtect antivirus engine for encrypting YARA rules within its binaries. By leveraging this shared encryption algorithm, Banshee obfuscated critical strings, hindering immediate detection by security solutions.<\/p>\n<p>\u201cAs macOS continues to gain popularity, with over\u00a0<a href=\"https:\/\/www.spyhunter.com\/shm\/macos-stats\/#:~:text=66%25-,Global%20Mac%20user%20base%20and%20market%20share,seamlessly%20with%20other%20Apple%20products.\">100 million users globally<\/a>, it\u2019s becoming an increasingly attractive target for cyber criminals,\u201d Check Point researchers added.<\/p>\n<p>Banshee is a stealer malware that targets user credentials, browser data, and crypto wallets by using anti-analysis techniques to avoid detection, such as forking and process creation.<\/p>\n<p>It steals information from various browsers and\u00a0<a href=\"https:\/\/cybersecuritynews.com\/browser-extensions-can-harm-your-organization\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">browser extensions<\/a>, including Chrome, Brave, Edge, Vivaldi, Yandex, and Opera, while it also targets specific crypto wallet extensions.<\/p>\n<p>Following the compression of the stolen data, it is XOR encrypted with the campaign ID, base64 encoded, and then it is exfiltrated to the command and control server.<\/p>\n<p>The C&amp;C server has gone through multiple iterations from a Django-based server with a separate admin panel to a single FastAPI endpoint for bot communication. Currently, the server hosting the admin panel is hidden behind Relay servers for increased stealth.<\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/banshee-malware-targets-macos\/\">Read the Full Story Here<\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/banshee-malware-targets-macos\/\">Source: Cybersecurity News<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers analyzed new versions of the Banshee\u00a0macOS Stealer\u00a0sample that initially evaded detection by most antivirus engines, as analysis revealed that the malware employed a unique string encryption technique. The encryption method was identical to that used by Apple\u2019s XProtect antivirus engine for encrypting YARA rules within its binaries. By leveraging this shared encryption algorithm, Banshee [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1507,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1506","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>100 Million macOS Users At Risk \u2013 New Banshee Malware Attacks Bypassing Apple\u2019s XProtect - Community<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"100 Million macOS Users At Risk \u2013 New Banshee Malware Attacks Bypassing Apple\u2019s XProtect - Community\" \/>\n<meta property=\"og:description\" content=\"Researchers analyzed new versions of the Banshee\u00a0macOS Stealer\u00a0sample that initially evaded detection by most antivirus engines, as analysis revealed that the malware employed a unique string encryption technique. The encryption method was identical to that used by Apple\u2019s XProtect antivirus engine for encrypting YARA rules within its binaries. By leveraging this shared encryption algorithm, Banshee [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/\" \/>\n<meta property=\"og:site_name\" content=\"Community\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/TSFactoryLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-01-13T10:53:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2025\/01\/applemalware.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"960\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Chelsie Wyatt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:site\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chelsie Wyatt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/\",\"name\":\"100 Million macOS Users At Risk \u2013 New Banshee Malware Attacks Bypassing Apple\u2019s XProtect - Community\",\"isPartOf\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2025\/01\/applemalware.jpg\",\"datePublished\":\"2025-01-13T10:53:02+00:00\",\"author\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/#primaryimage\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2025\/01\/applemalware.jpg\",\"contentUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2025\/01\/applemalware.jpg\",\"width\":1280,\"height\":960},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.tsfactory.com\/forums\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"100 Million macOS Users At Risk \u2013 New Banshee Malware Attacks Bypassing Apple\u2019s XProtect\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/\",\"name\":\"Community\",\"description\":\"TSFactory\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\",\"name\":\"Chelsie Wyatt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"caption\":\"Chelsie Wyatt\"},\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"100 Million macOS Users At Risk \u2013 New Banshee Malware Attacks Bypassing Apple\u2019s XProtect - Community","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/","og_locale":"en_US","og_type":"article","og_title":"100 Million macOS Users At Risk \u2013 New Banshee Malware Attacks Bypassing Apple\u2019s XProtect - Community","og_description":"Researchers analyzed new versions of the Banshee\u00a0macOS Stealer\u00a0sample that initially evaded detection by most antivirus engines, as analysis revealed that the malware employed a unique string encryption technique. The encryption method was identical to that used by Apple\u2019s XProtect antivirus engine for encrypting YARA rules within its binaries. By leveraging this shared encryption algorithm, Banshee [&hellip;]","og_url":"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/","og_site_name":"Community","article_publisher":"https:\/\/www.facebook.com\/TSFactoryLLC\/","article_published_time":"2025-01-13T10:53:02+00:00","og_image":[{"width":1280,"height":960,"url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2025\/01\/applemalware.jpg","type":"image\/jpeg"}],"author":"Chelsie Wyatt","twitter_card":"summary_large_image","twitter_creator":"@TSFactoryLLC","twitter_site":"@TSFactoryLLC","twitter_misc":{"Written by":"Chelsie Wyatt","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/","url":"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/","name":"100 Million macOS Users At Risk \u2013 New Banshee Malware Attacks Bypassing Apple\u2019s XProtect - Community","isPartOf":{"@id":"https:\/\/www.tsfactory.com\/forums\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/#primaryimage"},"image":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/#primaryimage"},"thumbnailUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2025\/01\/applemalware.jpg","datePublished":"2025-01-13T10:53:02+00:00","author":{"@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f"},"breadcrumb":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/#primaryimage","url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2025\/01\/applemalware.jpg","contentUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2025\/01\/applemalware.jpg","width":1280,"height":960},{"@type":"BreadcrumbList","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/100-million-macos-users-at-risk-new-banshee-malware-attacks-bypassing-apples-xprotect\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.tsfactory.com\/forums\/"},{"@type":"ListItem","position":2,"name":"100 Million macOS Users At Risk \u2013 New Banshee Malware Attacks Bypassing Apple\u2019s XProtect"}]},{"@type":"WebSite","@id":"https:\/\/www.tsfactory.com\/forums\/#website","url":"https:\/\/www.tsfactory.com\/forums\/","name":"Community","description":"TSFactory","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f","name":"Chelsie Wyatt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","caption":"Chelsie Wyatt"},"url":"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1506","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/comments?post=1506"}],"version-history":[{"count":1,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1506\/revisions"}],"predecessor-version":[{"id":1508,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1506\/revisions\/1508"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media\/1507"}],"wp:attachment":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media?parent=1506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/categories?post=1506"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/tags?post=1506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}