Security Bite: macOS malware ‘Banshee’ found using Apple’s own code to evade detection

4 hours ago 1

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

A new report from Check Point Research details how a new variant of the infamous Banshee stealer malware from Russian-speaking cybercriminals takes a page from Apple’s own security practices to evade detection. The malware remained undetected for over two months by cleverly incorporating the same encryption methods as Mac’s XProtect antivirus detection suite.

If you’re an avid reader of Security Bite, you’ve heard me say (more than once) that malware stealers, usually through malware-as-a-service (MaaS) business models, are currently the largest threat to Mac users. They’re destructive, targeting your iCloud Keychain passwords, cryptocurrency wallets, sensitive information from files, and even system passwords like a stealthy low-orbiting ion canon. Cybercriminals will often embed this malicious code in seemingly legitimate applications as a ploy to infect machines.

Interestingly, this newly discovered variant of Banshee is doing something I’ve never seen and even didn’t know was possible. The malware effectively “stole” the string encryption algorithm directly from Apple’s XProtect antivirus engine. This technique, typically used by Apple to protect its YARA rules within XProtect Remediator binaries, was repurposed by the malware to hide its malicious code from detection. I talk more about YARA rules and XProtect here.

Since antivirus programs are used to seeing this type of encryption from Apple’s legitimate security tools, they didn’t flag it as suspicious.

This strategy used by the malware authors proved to be quite effective until its own affiliates leaked the source code on underground forums in November 2024. It wasn’t long before most antivirus engines on VirusTotal were updated with new signatures that could now detect the new strain. The malware authors shut down operations the next day after the code was leaked, according to the report. It was circulating for at least 2 months undetected.

“Threat actors distributed this new version mainly via phishing websites and malicious GitHub repositories. In some GitHub campaigns, threat actors targeted both Windows and MacOS users with Lumma and Banshee Stealer,” according to Check Point Research. Lumma is another prolific strain of stealer malware but is written for and targets Windows users.

Detailed analysis of the malware itself can be found in Check Point’s full report.