The Banshee macOS information stealer has been updated to expand its target list to systems using the Russian language, cybersecurity firm Check Point reports.
Banshee was first seen in mid-2024, when it was advertised on cybercrime forums for $3,000 per month, and is believed to have been created by Russian developers.
The malware can collect a wide range of data from macOS systems, including passwords, system information, keychain passwords, browser and browser plugin data, and cryptocurrency wallet information.
In November 2024, the stealer’s source code was leaked online and its developers allegedly shut down their operation as a result, but the malware continues to be distributed via phishing websites and fake GitHub repositories.
According to Check Point, a version of Banshee identified in September that had replaced the original plain text encryption algorithm strings with a string stolen from Apple’s own XProtect antivirus engine remained undetected by antivirus engines until November, when the malware’s source code was leaked.
“This leak not only exposed its inner workings but also led to better detection by antivirus engines. While this leak led to better detection by antivirus engines, it also raised concerns about new variants being developed by other actors,” Check Point notes.
The most significant change observed in the latest version of Banshee, however, is the removal of a Russian language check, which previously prevented the malware from executing on systems using Russian, but now no longer constrains it from targeting specific regions.
Check Point says it “has identified multiple campaigns still distributing the malware through phishing websites. Whether these campaigns are being carried out by previous customers or the author’s private group remains unclear”.
Related: FireScam Android Malware Packs Infostealer, Spyware Capabilities
Related: ESET Distributor’s Systems Abused to Deliver Wiper Malware
Related: US, Australian Cybersecurity Agencies Publish List of 2021’s Top Malware
