Full Report
Research by: Antonis Terefos (@Tera0017) Key Points Introduction As of 2024, approximately 100.4 million people worldwide use macOS, accounting for 15.1% of the global PC market. Of the millions of macOS users, many falsely assume that their systems are inherently secure from malware. This perception stems from macOS’s Unix-based architecture and historically lower market share, making […] The post Banshee: The Stealer That “Stole Code” From MacOS XProtect appeared first on Check Point Research.
Analysis Summary
# Tool/Technique: Banshee macOS Stealer
## Overview
Banshee is a stealthy information stealer malware specifically designed to target macOS users. It operates as a "stealer-as-a-service" model, sold or advertised through Telegram and underground forums. A recent, more advanced version introduced string encryption, mimicking an algorithm used by Apple's built-in XProtect antivirus engine.
## Technical Details
- Type: Malware family (Info Stealer)
- Platform: macOS
- Capabilities: Steals browser and login credentials, cryptocurrency wallet data, and sensitive information from local files. The new version uses string encryption to evade detection.
- First Seen: Publicly in July 2024 (New version monitored since late September).
## MITRE ATT&CK Mapping
*Note: Specific TTPs are inferred based on observed functionality (stealing credentials and data).*
- TA0009 - Collection
- T1005 - Data from Local System
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Inferred)
## Functionality
### Core Capabilities
- Steals credentials stored in web browsers.
- Extracts cryptocurrency wallet information.
- Gathers sensitive data from files on the system.
### Advanced Features
- **String Encryption:** The latest version employs string encryption to hide sensitive strings within the binary.
- **XProtect Imitation:** The specific string decryption algorithm used mirrors the one Apple uses in its macOS XProtect antivirus engine, aiding in evasion.
- **Service Model:** Operated as a stealer-as-a-service, priced at $3,000, with authors reportedly hiring campaign operators.
## Indicators of Compromise
- File Hashes: SHA256: `ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038` (Specific sample referenced in the analysis)
- File Names: Not explicitly provided, but distributed via malicious GitHub repositories and phishing websites.
- Registry Keys: Not provided.
- Network Indicators: Not provided (C2 structure is inferred but not detailed).
- Behavioral Indicators: Attempts to decrypt and access sensitive user data; execution of code matching specific x64/ARM instruction sequences related to string decryption (detailed in the YARA rule).
## Associated Threat Actors
- Russian-speaking cybercriminals (operators behind the Banshee Stealer-as-a-Service operation).
## Detection Methods
- **YARA Rules:** Specific YARA rules were written based on the string encryption methodology, and further detailed rules exist based on known machine code sequences for both x64 and ARM architectures within the malware binary ($x64\_code\* and $arm\_code\*).
- **Signature-based detection:** Became significantly more effective following the leak of the source code on XSS forums on November 23, 2024.
- **Behavioral detection:** Monitoring for custom string decryption routines that mimic Apple's XProtect engine.
## Mitigation Strategies
- Do not download software from untrusted sources (phishing websites or unofficial GitHub repositories).
- Maintain up-to-date security software, recognizing that advanced malware uses code patterns similar to legitimate system tools (like XProtect).
- Be cautious of software that purports to be legitimate but is distributed via non-standard channels.
## Related Tools/Techniques
- **Lumma Stealer:** Mentioned as being distributed alongside Banshee Stealer in some GitHub campaigns, targeting Windows users.
- Older, predecessor versions of Banshee Stealer (which reportedly used plain text strings).