Malware targets Mac users by using Apple’s security tool

by CybrGPT
0 comment

Using Apple’s proprietary string encryption, the malware evaded detection for months.

Credit: Shutterstock

A variant of the Banshee macOS infostealer was seen duping detection systems with new string encryption copied from Apple’s in-house algorithm.

A Check Point research, which caught the variant after two months of successful evasion, said threat actors distributed Banshee using phishing websites and fake GitHub repositories, often impersonating popular software like Google Chrome, Telegram, and TradingView.

Cybersecurity expert at Menlo Security, Ngoc Bui, said the new variant highlights a significant gap in Mac security. “While companies are increasingly adopting Apple ecosystems, the security tools haven’t kept pace,” he said. “Even leading EDR solutions have limitations on Macs, leaving organizations with significant blind spots. We need a multi-layered approach to security, including more trained hunters on Mac environments.”

The malware is known for stealing browser credentials, cryptocurrency wallets, and other sensitive data.

Turning Apple’s own tech against it

CheckPoint researchers found the new Banshee variant using a “stolen” string encryption algorithm from Apple’s XProtect engine, which probably gave it the ability to evade detection for over two months.

Forgoing its usage of plain text strings in the original version, the new variant copied Apple’s string encryption, which can be used to encrypt URLs, commands, and sensitive data so that they aren’t readable or detectable by static analysis tools that antivirus systems use to scan for known malicious signatures.

“As attackers refine their techniques, including leveraging encryption methods inspired by native security tools, it’s evident that businesses can no longer rely on legacy assumptions about platform security,” said James Scobey, chief information security officer at Keeper Security. “Sophisticated malware like Banshee Stealer can bypass traditional defenses, capitalizing on stolen credentials and user errors.”

Banshee 2.0

Another key difference Check Point research noticed in the variant is that the version has removed a Russian language check, hinting at possible new ownership and expanded operations.

“Previous malware versions terminated operations if they detected the Russian language, likely to avoid targeting specific regions,” the researchers said in a blog post. “Removing this feature indicates an expansion in the malware’s potential targets.”

Banshee macOS Stealer gained attention in mid-2024, promoted as a “stealer-as-a-service” on forums like XSS, Exploit, and Telegram. Threat actors could buy it for $3,000 to target macOS users.

In November 2024, however, Banshee’s operations took a wild turn after its source code leaked on XSS forums, leading to its public shutdown. The leak improved antivirus detection but sparked worries about new variants being developed by other actors.

Source link

You may also like

Leave a Comment

Stay informed with the latest in cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

BuyBitcoinFiveMinute

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

© 2025 cybrgpt.com – All rights reserved.