The DMN Security Bite is proudly presented by Mosyle, the sole Apple Unified Platform. Our mission is to ensure Apple devices are ready for work and secure for enterprises. By leveraging a unique integrated method for management and security, we offer advanced Apple-centric security solutions, including fully automated Hardening & Compliance, Next Generation EDR, AI-driven Zero Trust, and exclusive Privilege Management, all backed by the premier Apple MDM available. This results in a completely automated Apple Unified Platform that over 45,000 organizations trust to prepare millions of Apple devices effortlessly and at a competitive price. Sign up for your EXTENDED TRIAL today and discover why Mosyle is your ultimate partner for Apple management.
A recent report from Check Point Research reveals that a new strain of the notorious Banshee stealer malware, used by Russian-speaking cybercriminals, has ingeniously adopted Apple’s security tactics to avoid detection. This malware managed to remain undetected for more than two months by utilizing the same encryption techniques found in Mac’s XProtect antivirus suite.
If you’re a regular follower of Security Bite, you’ve heard the assertion (more than once) that malware stealers, often operating through malware-as-a-service (MaaS) models, pose the most significant risk to Mac users today. They are highly destructive, targeting iCloud Keychain passwords, cryptocurrency wallets, crucial data from files, and even system passwords, like a stealthy low-orbit ion cannon. Cybercriminals frequently embed this malicious software within what appear to be legitimate applications to compromise systems.
Notably, this newly identified Banshee variant is employing a tactic I have not encountered before, and it was previously unknown to me. The malware effectively “borrowed” the string encryption algorithm utilized in Apple’s XProtect antivirus system. This method, usually employed by Apple to safeguard its YARA rules within XProtect Remediator binaries, was exploited by the malware to obscure its malicious operations. More about YARA rules and XProtect can be found here.
As antivirus solutions are accustomed to recognizing this specific type of encryption associated with legitimate Apple security tools, they failed to flag it as suspicious.
This tactic used by the malware developers proved highly effective until their affiliates leaked the source code on underground forums in November 2024. Soon after, many antivirus engines on VirusTotal received updates with new signatures that enabled them to detect this new strain. Following the exposure of the code, the malware authors ceased their operations the very next day, as indicated in the report. It had been operating undetected for at least two months.
“Threat actors predominantly disseminated this new variant via phishing sites and malicious GitHub repositories. In some campaigns on GitHub, threat actors focused on both Windows and MacOS users with the Lumma and Banshee Stealers,” according to Check Point Research. Lumma represents another prevalent strain of stealer malware, specifically targeting Windows users.
For a thorough analysis of the malware itself, please refer to Check Point’s complete report.
More on Apple Security
Follow Arin: Twitter/X, LinkedIn, Threads
FTC: We utilize income-generating auto affiliate links. More.
