The macOS infostealer “Banshee” has been noticed skating by antivirus packages utilizing a string encryption algorithm it stole from Apple.
Banshee has been spreading since July, primarily through Russian cybercrime marketplaces, the place it was offered as a $1,500 “stealer-as-a-service” for Macs. It is designed to steal credentials from browsers — Google Chrome, Courageous, Microsoft Edge, Vivaldi, Yandex, and Opera — and browser extensions related to cryptocurrency wallets — Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus. Plus, it lifts extra details about focused programs, together with software program and {hardware} specs, and the password wanted to unlock the system.
It was removed from an ideal software, extensively detected by antivirus packages, thanks partially to its being packaged completely in plaintext. However on Sept. 26, researchers from Test Level noticed a stronger variant. This extra profitable variant remained in any other case undetected for months, primarily as a result of it was encrypted with the identical algorithm utilized by Apple’s Xprotect antivirus software for macOS.
Banshee Malware Steals From XProtect
XProtect is Apple’s decade-and-a-half-old anti-malware engine for macOS. To detect and block malware, it makes use of “Remediator” binaries, which mix varied strategies and instruments for antivirus-ing, together with YARA guidelines, which comprise patterns and signatures related to recognized threats.
Test Level discovered that the identical encryption algorithm that protects XProtect’s YARA guidelines additionally hid the September variant of Banshee.
It is not clear how the malware creator — nom de guerre “0xe1” or “kolosain” — gained entry to that algorithm.
“It could possibly be that they carried out a reverse engineering of the XProtect binaries, and even learn related publications, however we will not verify it,” Antonis Terefos, reverse engineer at Test Level Analysis, speculates. “As soon as the string encryption of macOS XProtect turns into recognized — which means the best way the antivirus is storing the YARA guidelines is reverse-engineered — risk actors can simply ‘reimplement’ the string encryption for malicious functions,” he says.
Both approach, the impact was important. “Nearly all of the antivirus options in VirusTotal detected the preliminary Banshee samples utilizing plaintext, however as soon as the developer launched this novel string encryption algorithm, not one of the roughly 65 antivirus engines in VirusTotal detected it,” he says.
That remained the case for round two months. Then, on Nov. 23, Banshee’s supply code was leaked on the Russian language cybercrime discussion board “XSS.” 0xe1 shuttered his malware-as-a-service (MaaS) operation, and antivirus distributors integrated related YARA guidelines in the end. However even after that time, Terefos reviews, the encrypted Banshee remained undetected by most engines on VirusTotal.
How Banshee Stealer Is Spreading in Cyberattacks
Since late September, Test Level has recognized greater than 26 campaigns spreading Banshee. Broadly talking, they are often grouped into two clusters.
In three waves of campaigns lasting from mid-October to early November, risk actors unfold the infostealer through GitHub repositories. The repositories promised customers cracked variations of fashionable software program, like Adobe packages and varied picture and video enhancing instruments. The malware was hid behind generic file names corresponding to “Setup,” “Installer,” and “Replace.” This similar cluster of exercise additionally focused Home windows customers with the favored Lumma Stealer.
The remaining campaigns unfold Banshee through phishing websites, of 1 type or one other. In these instances, the attackers disguised the malware as varied fashionable software program packages, together with Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram. If a customer was utilizing macOS, they’d get a obtain hyperlink.
Extra, various campaigns could possibly be on the best way, now that Banshee has been leaked. Thus, Terefos says, “Regardless of macOS historically being thought to be safer, Banshee’s success demonstrates the significance for macOS customers to stay vigilant and conscious of the threats.”
