Full Report
Cybersecurity researchers have uncovered a new, stealthier version of a macOS-focused information-stealing malware called Banshee Stealer. "Once thought dormant after its source code leak in late 2024, this new iteration introduces advanced string encryption inspired by Apple's XProtect," Check Point Research said in a new analysis shared with The Hacker News. "This development allows it to
Analysis Summary
# Tool/Technique: Banshee Stealer (New Variant)
## Overview
A new, stealthier variant of the macOS-focused information-stealing malware known as Banshee Stealer. This iteration was developed following the source code leak of the original malware in late 2024. Its primary improvement is the introduction of advanced string encryption, inspired by Apple's XProtect antivirus engine, specifically designed to bypass existing antivirus systems and target macOS users.
## Technical Details
- Type: Malware family
- Platform: macOS
- Capabilities: Information stealing, string obfuscation/encryption, bypass of AV detection.
- First Seen: New variant detected in late September 2024. (The original was documented in August 2024).
## MITRE ATT&CK Mapping
*Note: Since the provided text describes evasion and initial infection vectors, mappings focus on those areas.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Distribution via phishing websites and fake repositories)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.001 - Obfuscated Files via Encoding or Encryption (Uses XProtect-inspired encryption)
## Functionality
### Core Capabilities
- Information harvesting capabilities inherited from the original version, including stealing data from web browsers, cryptocurrency wallets, and files matching specific extensions.
- Distribution via phishing attacks, masquerading as popular software (Google Chrome, Telegram, TradingView) hosted on fake GitHub repositories and phishing websites.
### Advanced Features
- **XProtect-Inspired Encryption:** Utilizes a string encryption algorithm similar to that found in Apple's XProtect antivirus engine. This is used to obfuscate plaintext strings within the malware, significantly enhancing its ability to bypass antivirus detection mechanisms.
- **Removal of Geo-Restriction:** The new variant dropped the anti-analysis check that prevented execution if the system language was set to Russian, suggesting a broader targeting scope.
## Indicators of Compromise
- File Hashes: [Not provided in the summary]
- File Names: [Inferred from distribution vectors: Dropped via fake installers masquerading as Google Chrome, Telegram, or TradingView.]
- Registry Keys: [Not provided in the summary]
- Network Indicators: [No specific C2 indicators were provided in this snippet.]
- Behavioral Indicators: Attempting to exfiltrate browser data, wallet data, and files matching specific extensions; exhibiting evasion techniques using string obfuscation.
## Associated Threat Actors
- Threat actors previously using Banshee Stealer (a Malware-as-a-Service (MaaS) operation previously priced at $3,000/month). It is currently unknown if the actors behind the new variant are previous customers or a new group leveraging the leaked source code.
## Detection Methods
- Signature-based detection: Likely ineffective against the new variant due to string encryption.
- Behavioral detection: Can focus on post-infection activities such as file enumeration, credential access attempts, and suspicious network connections originating from processes related to disguised software.
- YARA rules: Should be developed targeting the unique XProtect-inspired encryption patterns present in the obfuscated strings.
## Mitigation Strategies
- **User Education:** Training users to recognize phishing campaigns that distribute malware via fake software installs on phishing websites and fraudulent GitHub repositories.
- **Application Whitelisting:** Restricting the execution of unauthorized software, particularly those downloaded from external, untrusted sources.
- **Endpoint Security:** Ensuring Endpoint Detection and Response (EDR) solutions are in place that monitor for suspicious process behavior indicative of information theft, regardless of file-level AV signatures.
## Related Tools/Techniques
- Banshee Stealer (Original iteration, documented August 2024).
- Malware distributed via MaaS model.