Important message for Apple users: Your Mac computer may be infected

Using Apple's proprietary string encryption, the malware evaded detection for months.

Stealing login credentials, crypto wallets and other data

A variant of the Banshee malware for macOS has been observed to confuse detection systems with a new character string encryption technique copied from Apple's internal algorithm.

Check Point's investigation found that Banshee distributed the malware using phishing websites and fake GitHub repositories, often impersonating popular software such as Google Chrome, Telegram or TradingView.

This malware is known for stealing browser login credentials, cryptocurrency wallets and other sensitive data.

Cybersecurity expert Ngoc Bui said the new malware variant exposes a significant security flaw in Macs.

"While businesses are increasingly adopting Apple ecosystems, security tools are lagging behind. Even the most advanced EDR solutions have limitations on Mac systems, leaving organisations vulnerable to certain threats. We need a multi-layered approach to security, including more trained professionals working in Mac environments," said Mr Bui.

Apple's stolen encryption algorithm helped prevent detection

"CheckPoint researchers found that the new Banshee variant uses a stolen string encryption algorithm from Apple's XProtect engine. This is the reason why the malware managed to evade detection for more than two months.

The new variant drops the plaintext strings used in the original version and copies Apple's string encryption algorithm. The latter can be used to encrypt URLs, commands and sensitive data so that they cannot be read or detected by static analysis tools used by anti-virus systems to look for known malicious features.

"As hackers evolve their techniques, including encryption methods inspired by native security tools, it is clear that companies can no longer rely on old assumptions about the security of platforms.

Sophisticated malware such as Banshee Stealer can bypass traditional safeguards by exploiting stolen credentials and user errors," said cyber security expert James Scobey.

Russian language removed

Another important difference noted by the Check Point study is the removal of the Russian language check in the release. 

"Earlier versions of the malware used to abort operations if Russian was detected, presumably to avoid targets in specific regions. The removal of this feature indicates that the malware's potential targets have expanded," the researchers wrote in a blog post. 

Banshee macOS Stealer was brought to the attention of forums such as XSS, Exploit and Telegram in mid-2024. Developers could buy it for €3k. The exploit could have been purchased for US$ 3,000 and targeted macOS users.

However, in November 2024, Banshee's activities began to stall after its source code was leaked on the XSS forums and it was publicly shut down. The leak improved anti-virus detection but raised concerns about new variants being developed by other actors.