Banshee: The Stealer That "Stole Code" From MacOS XProtect
Jan. 9, 2025, 3:41 p.m.
Tags
External References
Description
A new version of the Banshee macOS stealer, linked to Russian-speaking cybercriminals, has been monitored since September. This version went undetected for over two months, using a string encryption algorithm identical to Apple's XProtect antivirus engine. The malware targets browser credentials, cryptocurrency wallets, and sensitive information. It was distributed through malicious GitHub repositories and phishing websites, often masquerading as popular software. The Banshee stealer-as-a-service operation, priced at $3,000, was advertised on Telegram and dark web forums before shutting down in November 2024 due to source code leakage. Despite this, threat actors continue to distribute updated versions, highlighting the growing trend of targeting macOS users.
Date
Published: Jan. 9, 2025, 3:08 p.m.
Created: Jan. 9, 2025, 3:08 p.m.
Modified: Jan. 9, 2025, 3:41 p.m.
Indicators
oxygen.solutions
fotor.software
data.country
d8ecc92571b3bcd935dcab9cdbeda7c2ebda3021dda013920ace35d294db07be
ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038
d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c2
cdfbcb3d850713c49d451b3e80fb8507f86ba4ad9385e083c2a2bf8d11adc4fb
b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114
3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab
1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416
00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93
41.216.183.49
servicedny.site
westar.io
seallysl.site
opposezmny.site
goalyfeastz.site
forbidstow.site
faulteyotk.site
dilemmadu.site
contemteny.site
coincapy.com
authorisev.site
alden.io
api7.cfd
Attack Patterns
Banshee Stealer
Lumma Stealer
Banshee
T1119
T1564.001
T1115
T1547.001
T1012
T1059.004
T1087
T1056.001
T1555
T1113
T1070.004
T1543.001
T1204.002
T1059.002
T1005
T1016
T1518
T1082
T1057
T1083
T1033
T1053