DMN Security Bite is proudly sponsored by Mosyle, the sole Apple Unified Platform. We specialize in ensuring that Apple devices are ready for work and secure for enterprise use. By merging advanced Apple-centric security solutions, we deliver fully automated Hardening & Compliance, Next Generation EDR, AI-enhanced Zero Trust, and unparalleled Privilege Management alongside the most effective Apple MDM available. This results in a completely automated Apple Unified Platform that over 45,000 organizations trust to prepare millions of Apple devices effortlessly and cost-effectively. Sign up for your EXTENDED TRIAL today to discover why Mosyle is essential for your Apple operations.
A recent report from Check Point Research outlines how a new variant of the notorious Banshee stealer malware, developed by Russian-speaking cybercriminals, cleverly adapts Apple’s security measures to remain undetected. This malware evaded detection for over two months by utilizing the same encryption techniques as Mac’s XProtect antivirus detection suite.
If you’re a consistent follower of Security Bite, you know I frequently emphasize that malware stealers, primarily via malware-as-a-service (MaaS) models, pose the greatest threat to Mac users. They can be devastating, targeting your iCloud Keychain passwords, cryptocurrency wallets, confidential information in files, and even system passwords like a stealthy low-orbiting ion cannon. Cybercriminals often embed this destructive code within seemingly legitimate applications to compromise machines.
Remarkably, this newly identified Banshee variant employs a technique I had never encountered before. The malware directly appropriated the string encryption algorithm from Apple’s XProtect antivirus engine. This method, generally employed by Apple to safeguard its YARA rules within XProtect Remediator binaries, was cleverly exploited by the malware to conceal its harmful code from detection. More details on YARA rules and XProtect can be found here.
Because antivirus programs are accustomed to encountering this specific encryption pattern from Apple’s legitimate security solutions, they did not flag it as a potential threat.
This tactic employed by the malware developers proved to be highly efficient until their affiliates leaked the source code on underground forums in November 2024. Shortly thereafter, most antivirus engines on VirusTotal updated their signatures to detect the new variant. According to reports, the malware developers ceased operations the following day after the code was leaked, having gone undetected for at least two months.
“Threat actors primarily distributed this updated version via phishing sites and malicious GitHub repositories. In several campaigns on GitHub, they targeted both Windows and MacOS users with Lumma and Banshee Stealer,” notes Check Point Research. Lumma is another notable strain of stealer malware specifically designed for Windows users.
A comprehensive analysis of the malware is available in Check Point’s full report.
More in Apple security
Follow Arin: Twitter/X, LinkedIn, Threads
: . More.
