Sales: 833-761-0695
Support: 509-465-1234 x 2
Remote Support Login
See Service Pricing

New Mac Vulnerability – Banshee MacOS Stealer

Our security operations center was notified of a new and novel bug that can affect all Macs. Titled “Banshee MacOS Stealer”, this first came on the scene in mid-2024 as a “malware as a service” exploit.

by

marketing@torchlight.io
in ,

The Banshee MacOS Stealer can silently infect and exfiltrate data from your Mac without alerting the antivirus.

Our security operations center was notified of a new and novel bug that can affect all Macs. Titled “Banshee MacOS Stealer”, this first came on the scene in mid-2024 as a “malware as a service” exploit. Hackers could purchase a license of this software for $3000 and would deploy through realistic looking but fake websites for common applications like Chrome, Telegram and Trading View. It had a unique way of tricking the Mac’s on-board antivirus to think that there is no infection.

In November of 2024, the code was leaked that exposed the inner workings of the software and thus allowed Mac based antivirus to get some definitions put in place for better identification. But that also raises the possibility of adoption by nation states and well funded hackers to deploy this to a new host of potential ‘customers’ and with potentially new and added exploit potency.

This exploit also has a similar version on Windows titled “Lumma Stealer” and has been seen in the wild for several years now.

How Does It Work?

Banshee tricks users into thinking they are downloading legitimate software via GitHub depositories, spoofing sites for downloading common applications and has been seen in a few extensions for web browsers. Once installed, the malware checks to see if it can establish “ROOT” access. If yes, the malware executes closing down several processes that then prevent any notification to the user of changes. Then, the malware targets browser data, extensions inside browsers, and system data to find valuable data.

Banshee can steal credentials from several browsers, including Chrome, Brave, Edge, Vivaldi, Yandex & Opera. And, it also targets Crypto wallets with Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic and Ledger wallets seen as specifically targeted by Banshee MacOS Stealer.

With well crafted fake log in screens as part of the malware, it can also snatch credentials placed into these fake pop up log in screens. The fake pop up screens have seen a variety of phrases, but the most common to date is: “To launch the application, you need to update the system settings. Please enter your password.”

Once the targeted files have been scooped up by the hackers, another dialog box appears with, “This system does not support running this application”.  And of course, the malware can exfiltrate valuable data from your system while encrypting files for a future ransom operation.

How To Handle If You Get Infected?

The software is still able to employ anti-analysis techniques to avoid and evade detection at this point. As per usual, diligence is required as indicators of compromise may be limited and the ability to correlate actions may also be limited. Put another way, if you get a phone call from your bank asking if you really want to execute on the withdrawal of funds via ACH, that is a sign that you’ve been potentially compromised if you’re on a mac. 41.216.183.49 is now well known as the IP address for the command and control for this exploit.

Credit to Check Point Research for the tip off on this nasty bug. The technical details can be found here: Checkpoint Research Notes on Banshee MacOS Stealer