{"id":1474,"date":"2025-01-10T11:24:32","date_gmt":"2025-01-10T11:24:32","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1474"},"modified":"2025-01-10T11:24:32","modified_gmt":"2025-01-10T11:24:32","slug":"malware-targets-mac-users-by-using-apples-security-tool","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1474","title":{"rendered":"Malware targets Mac users by using Apple\u2019s security tool"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A variant of the Banshee macOS infostealer was seen duping detection systems with new string encryption copied from Apple\u2019s in-house algorithm.<\/p>\n

A Check Point research, which caught the variant after two months of successful evasion, said threat actors distributed Banshee using phishing<\/a> websites and fake GitHub repositories, often impersonating popular software like Google Chrome, Telegram, and TradingView.<\/p>\n

Cybersecurity expert at Menlo Security, Ngoc Bui, said the new variant highlights a significant gap in Mac security. \u201cWhile companies are increasingly adopting Apple ecosystems, the security tools haven\u2019t kept pace,\u201d he said. \u201cEven leading EDR<\/a> solutions have limitations on Macs, leaving organizations with significant blind spots. We need a multi-layered approach to security, including more trained hunters on Mac environments.\u201d<\/p>\n

The malware is known for stealing browser credentials, cryptocurrency wallets, and other sensitive data.<\/p>\n

Turning Apple\u2019s own tech against it<\/h2>\n

CheckPoint researchers found the new Banshee variant using a \u201cstolen\u201d string encryption algorithm from Apple\u2019s XProtect engine, which probably gave it the ability to evade detection for over two months.<\/p>\n

Forgoing its usage of plain text strings in the original version, the new variant copied Apple\u2019s string encryption, which can be used to encrypt URLs, commands, and sensitive data so that they aren\u2019t readable or detectable by static analysis tools that antivirus systems use to scan for known malicious signatures.<\/p>\n

\u201cAs attackers refine their techniques, including leveraging encryption methods inspired by native security tools, it\u2019s evident that businesses can no longer rely on legacy assumptions about platform security,\u201d said James Scobey, chief information security officer at Keeper Security. \u201cSophisticated malware like Banshee Stealer can bypass traditional defenses, capitalizing on stolen credentials and user errors.\u201d<\/p>\n

Banshee 2.0<\/h2>\n

Another key difference Check Point research noticed in the variant is that the version has removed a Russian language check, hinting at possible new ownership and expanded operations.<\/p>\n

\u201cPrevious malware versions terminated operations if they detected the Russian language, likely to avoid targeting specific regions,\u201d the researchers said in a blog post<\/a>. \u201cRemoving this feature indicates an expansion in the malware\u2019s potential targets.\u201d<\/p>\n

Banshee macOS Stealer gained attention in mid-2024, promoted as a \u201cstealer-as-a-service\u201d on forums like XSS, Exploit, and Telegram. Threat actors could buy it for $3,000 to target macOS users.<\/p>\n

In November 2024, however, Banshee\u2019s operations took a wild turn after its source code leaked <\/a>on XSS forums, leading to its public shutdown. The leak improved antivirus detection but sparked worries about new variants being developed by other actors.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A variant of the Banshee macOS infostealer was seen duping detection systems with new string encryption copied from Apple\u2019s in-house algorithm. A Check Point research, which caught the variant after two months of successful evasion, said threat actors distributed Banshee using phishing websites and fake GitHub repositories, often impersonating popular software like Google Chrome, Telegram, […]<\/p>\n","protected":false},"author":0,"featured_media":1475,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1474","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1474"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1474"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1474\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1475"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}