Cybersecurity researchers have discovered a new, more stealthy version of the macOS-targeting malware called The Banshee Kidnapper.
“Once thought to be broken after the source code was leaked in late 2024, this new iteration introduces advanced string encryption inspired by Apple’s XProtect”, Check Point Research said in a new analysis shared with The Hacker News. “This development bypasses antivirus systems, posing a significant risk to more than 100 million macOS users worldwide.”
The cybersecurity firm said it discovered the new version in late September 2024, when the malware was distributed using phishing websites and fake GitHub repositories masquerading as popular software such as Google Chrome, Telegram and TradingView.
Banshee Stealer was documented for the first time in August 2024 by Elastic Security Labs. Offered as part of a malware-as-a-service (MaaS) model to other cybercriminals for $3,000 per month, it is capable of collecting data from web browsers, cryptocurrency wallets and files that match certain extensions.
Malicious software operation failed in late November 2024, when its source code was leaked online, forcing it to cease operations. However, Check Point said it has identified several companies that are still distributing malware through phishing websites, although it is not yet known whether they were carried out by previous customers.
The new variant is distinguished by the removal of the Russian language check, which was used to prevent the infection of Macs that set Russian as the system default. Eliminating this feature means that threat actors are looking to cast a wider net of potential targets.
Another major update is the use of the string encryption algorithm from Apple’s XProtect antivirus engine to obfuscate the text strings used in the original version of Banshee Stealer.
“Today’s malware campaigns are exploiting common human vulnerabilities, not just platform-specific flaws,” said Eli Smadja, manager of the security research group Check Point Research, in a statement shared with The Hacker News. “MacOS, like any other OS, is exposed to these new threats, especially when cybercriminals use advanced techniques such as social engineering and fake software updates.”
This is because Discord spam is being used to spread various malware families, such as Nova Stealer, Ageo Stealer, and Hexon Stealer, under the guise of testing a new video game.
“One of the main interests for hijackers seems to be Discord credentials, which can be used to expand their network of compromised accounts,” Malwarebytes. said. “It also helps them because some of the stolen information includes the accounts of victims’ friends.”
