Advanced ‘Banshee Stealer’ Variant Uses Apple XProtect-Style Encryption for Evasion

• The latest version of Banshee Stealer includes several notable updates, allowing it to target a broader audience and evade detection more effectively.
• The main enhancement is the adoption of a string encryption algorithm inspired by Apple's XProtect antivirus engine.
• Also, the check preventing infection of systems using Russian as the default language has been removed.

A new and more sophisticated variant of Banshee Stealer was discovered. Initially believed to be inactive following a source code leak in late 2024, the macOS-focused information-stealing malware has resurfaced with advanced features aimed at evading antivirus detection.

The novel iteration introduces advanced string encryption inspired by Apple's XProtect which allows it to bypass antivirus systems, Check Point Research noted in the latest security report, putting over 100 million users globally at risk.

The latest version, detected in late September 2024, uses phishing websites and fake GitHub repositories to spread. These campaigns masquerade as legitimate software such as Google Chrome, Telegram, and TradingView, enticing victims to install the malware. 

One of the variant's key enhancements is the adoption of a string encryption algorithm inspired by Apple's XProtect antivirus engine, which obfuscates plaintext strings in the malware’s code, making it significantly more challenging for antivirus systems to detect and analyze.

The original version of Banshee Stealer included a check preventing infection of systems using Russian as the default language, a common tactic used to avoid attention from Russian authorities. This feature was removed, suggesting the operators aim to extend their reach to a wider pool of potential victims on a global scale.

Besides phishing campaigns, attackers are also using platforms like Discord to distribute stealer malware, including Nova Stealer, Ageo Stealer, and Hexon Stealer. These campaigns often pose as messages about testing new video games, luring unsuspecting users into downloading infected files.

Initially documented by Elastic Security Labs in August 2024, Banshee Stealer operates on a malware-as-a-service (MaaS) model, sold to other cybercriminals for $3,000 per month. The malware is capable of harvesting sensitive data, including web browser details, cryptocurrency wallet credentials, and files with specific extensions.

The malware's operations initially faltered in November 2024 when its source code was leaked online, causing the service to halt. Despite this disruption, Check Point Research has identified multiple campaigns still distributing Banshee Stealer via phishing platforms. Whether these campaigns involve the malware's original customers or new threat actors remains unclear.