Skip to main content
HashnodeFPT Metrodata Indonesia Cyber SecurityFPT Metrodata Indonesia Cyber Security

Command Palette

Search for a command to run...

Banshee Stealer Threat

Published
5 min read
Banshee Stealer Threat
F
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

S
Siti Rahmiati K.

Summary

In 2024, macOS gained 100.4 million users, making up 15.1% of the global PC market. Despite its security features, macOS is targeted by malware like Banshee Stealer, which steals browser credentials, cryptocurrency wallets, and sensitive data. Banshee was distributed through phishing sites and malicious GitHub repositories. Its updated version, found in September, used encryption from Apple’s XProtect to avoid detection. Although a source code leak in November led to antivirus detection and the end of its stealer service, phishing campaigns using Banshee continue.

Since September 2024, researchers have been tracking a new version of Banshee Stealer, a macOS-targeting malware linked to Russian-speaking cybercriminals. This updated version remained undetected for over two months, using a string encryption algorithm identical to one found in Apple’s XProtect antivirus. This distinguished it from earlier versions of Banshee, whose source code was leaked on XSS forums. The malware was distributed through various methods, including malicious GitHub repositories, which also targeted Windows users with Lumma Stealer.

Banshee Stealer operated as a “stealer-as-a-service,” priced at $3,000 and promoted on Telegram and dark web forums like XSS and Exploit. However, after the source code was leaked on November 23, 2024, the author shut down the service the following day. Despite this, cybercriminals continue to distribute the malware through phishing websites, posing an ongoing threat to macOS users.

Technical Detail

The primary change in the updated versions is the use of string encryption, replacing the plain text strings seen in earlier samples. Interestingly, this encryption method mirrors the one used by Apple in macOS's XProtect antivirus engine.

Despite these updates, Banshee's core functionality remains consistent, focusing on data theft and evasion techniques. Key changes include:

Anti-Analysis Techniques: Banshee uses the fork() function to create child processes that evade debugging. It closes terminal sessions, runs as a daemon, and attempts to gain root directory access. If unsuccessful, the malware halts; otherwise, it redirects input/output to /dev/null for stealth.

Data Staged: The malware creates a temporary directory to store stolen data. It targets browser data, system information, and keychain passwords and removes a previous language check that terminated the malware if Russian was detected.

Stealing Capabilities

Banshee can extract:

Browser Data: Credentials from Chrome, Brave, Edge, Opera, and other browsers, as well as extensions like cryptocurrency wallets and 2FA tools.

Wallet Data: Information from wallets such as Exodus, Electrum, and Ledger.

System Info: macOS software and hardware details, external IP addresses, and even user passwords via deceptive pop-ups.

Keychain Passwords: Saved credentials and other sensitive data.

Network Communication

Stolen data is stored in a temporary folder, zipped, encrypted, and encoded before being sent to a command-and-control (C&C) server. Earlier versions used Django-based servers, but newer versions switched to FastAPI for added stealth, hiding admin panels behind relay servers.

Campaigns and Distribution

Banshee Stealer has been distributed in multiple campaigns, primarily targeting macOS users via GitHub and phishing websites.

GitHub Campaigns

Three waves of malicious GitHub repositories were observed:

  1. October 18-21: Nine repositories posing as cracked software, including Adobe tools, distributed malicious .dmg files targeting macOS.

  2. October 31: Repositories targeting both macOS and Windows users, offering archives with Banshee and Lumma Stealer, respectively.

  3. November 3: Similar campaigns targeting macOS and Windows, with filenames like "Installer.dmg" and "Setup.exe."

These repositories often appeared legitimate by gaining stars and maturity before distributing malware.

Phishing Websites

Recent campaigns impersonated popular software like Telegram, TradingView, and MediaKIT. For example:

  1. A fake Telegram phishing site provided a malicious .dmg file to macOS users while ignoring Windows and Linux users.

  2. URLs such as api7[.]cfd and coincapy[.]com hosted malicious files.

Banshee Stealer Evolution

After the November source code leak, antivirus detection improved. However, this leak has also enabled other threat actors to create new forks and versions.

Darkweb Activity

The creator of Banshee, using the alias @kolosain, initially sold the stealer for $2,999 in July, later reducing the price to $1,500 per month on forums like XSS and Exploit. By late August, the author began recruiting affiliates to operate campaigns, offering up to 65% profit shares. In October, following the code leak, the author attempted to sell the entire project for 1 Bitcoin, later dropping the price to $30,000. This timing suggests an attempt to profit quickly before the leak's impact became widespread.

Recommendation

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  1. Regularly update operating systems and applications to ensure that known vulnerabilities are patched, reducing the risk of exploitation by malware like Banshee Stealer.

  2. Avoid clicking on suspicious links or opening attachments from unknown senders, as these may lead to malware infections. Always verify the legitimacy of the source before interacting.

  3. Educate employees and users about common cyber threats, such as phishing and malware, to promote vigilance and reduce the likelihood of falling victim to social engineering attacks.

Conclusion

The introduction of string encryption in Banshee allowed this macOS-targeting malware to evade antivirus detection for over two months, showing how threat actors are expanding their focus to multiple operating systems. While GitHub repositories are used mainly to target Windows users, attackers have started adapting their methods to target macOS, Linux, and Android as well, using unprotected DMG files and archives. This highlights the need for macOS users to stay vigilant as security solutions must evolve to defend against increasingly sophisticated and widespread attacks.

#banshee#stealer#threat#macos
3 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com