A new version of the Banshee macOS stealer was observed — the malware steals browser credentials, cryptocurrency wallets, and other sensitive data.
Check Point Research said in a Jan. 9 blog post that it was monitoring the Banshee infostealer since last September. The researchers said in being undetected for two months, the latest version of Banshee introduced string encryption taken from Apple’s XProtect, likely causing antivirus systems to overlook the macOS malware.
“As macOS continues to gain popularity, with over 100 million users globally, it’s becoming an increasingly attractive target for cyber criminals,” wrote the Check Point researchers. “This stealthy malware doesn’t just infiltrate: it operates undetected, blending seamlessly with normal system processes. What makes Banshee truly alarming is its ability to evade detection. Even seasoned IT professionals struggle to identify its presence.”
Lawrence Pingree, vice president at Dispersive, said one big takeaway from this news is that no operating system is immune to malware: period.
“This notion people have had that MacOS — or any other operating system, including Linux — is immune to malware is a farce,” said Pingree.
Infostealers are often used to collect credentials, said Pingree, and these credentials are often immediately fed into major breaches, or subsequent hacker activities. Isolating identity systems is a crucial step in defense, said Pingree, as well as endpoint protection, identity threat detection and response capabilities.
Jaron Bradley, director of threat labs at Jamf, said his team has observed a significant rise in stealer campaigns that gained momentum in 2023. Bradley said these campaigns have proven highly successful, even on the macOS platform.
“The success of these stealers is primarily driven by social engineering, where attackers convince users to execute the malware themselves,” explained Bradley. “This highlights an important lesson: no matter how robust the operating system's security measures are, attackers can often bypass them by presenting users with a convincing reason to act. It also underscores that while Apple's XProtect rules are effective at detecting known malware, they are closely monitored by malware authors, allowing them to adapt and evade detection in future iterations using creative methods."
Banshee Stealer represents a clear indication of the evolving threats targeting macOS systems, which are traditionally viewed as more secure than their PC counterparts, and less susceptible to malware and viruses, said James Scobey, chief information security officer at Keeper Security.
“As attackers refine their techniques, including leveraging encryption methods inspired by native security tools, it’s evident that businesses can no longer rely on legacy assumptions about platform security,” said Scobey. “Sophisticated malware like Banshee Stealer can bypass traditional defenses, capitalizing on stolen credentials and user errors.”
Eric Schwake, director of cybersecurity strategy at Salt Security, added that the return of Banshee Stealer malware, which has improved its capability to evade antivirus software and steal confidential data, represents a significant risk for organizations using macOS devices.
“Despite the common belief that Macs offer greater security, this incident emphasizes that organizations must adopt strong security measures across all devices, independent of their operating systems,” said Schwake. “This entails implementing endpoint security solutions, enforcing strict password policies, educating staff about phishing and malware risks, and ensuring all software is regularly updated with the latest security patches.”
