Banshee Stealer is the scary new arrival in the Mac malware-as-a-service market
Posted on by Joshua Long
Early last week, a new player emerged in the shady underground market of stealer malware for Mac. Banshee Stealer is the latest malware that can steal your passwords, enable hackers to break into your accounts, and empty your digital wallets.
Here’s everything you need to know to stay safe from this new Mac malware threat.
A brief history of stealer malware on the Mac
We’ve mentioned in previous malware write-ups that in April 2023, Atomic macOS Stealer (AMOS, or AtomicStealer) launched as a malware family specifically focused on gathering and exfiltrating sensitive data from Macs. The original threat actor, who goes by ping3r, began selling it via Telegram as “malware as a service;” i.e. other threat actors could license it, initially for $1,000 per month.
Since then, we’ve seen lots of AMOS variants and copycats, both for sale on the black market and in the wild. We wrote about later campaigns in September 2023 and February 2024. In May, we wrote about a previously undocumented stealer variant that Intego’s research team discovered. We also documented another variant, dubbed Cuckoo—one version of which our team unearthed as well. Intego was also the first to write about a stealer disguised as the Arc browser. We often discuss new stealer malware variants on the Intego Mac Podcast.
Most often, AMOS malware and its copycats are distributed through malicious Google Ads campaigns. These poisoned Google ads appear at the top of search results, where many people will see and click on them. At a glance, the ads are often indistinguishable from legitimate Google Ads run by the real software companies they mimic. (Hence, we advise to look at search results carefully before you click—and if it’s an ad, avoid clicking on it.)
Notable AMOS copycats
Aside from the aforementioned Cuckoo, a handful of copycats or offshoots of AMOS have been developed by someone other than ping3r. One AMOS clone developer who went by the name alh1meg apparently developed a stealer called ALH1MIK.
A more well-known AMOS copycat is Poseidon, which was developed by Rodrigo4; we wrote about it in July. According to ping3r, Rodrigo4 was one of the four original coders who developed AMOS. Allegedly, Rodrigo4 sold Poseidon to another threat actor earlier this month for $83,000 worth of Bitcoin.
Shortly after the sale of Poseidon, 0xe1’s Banshee Stealer came onto the scene. It seems to be in quite active development; just this week it was reportedly rewritten in Objective-C.
What does Banshee Stealer do?
As is typical of Mac stealer malware, Banshee Stealer collects and exfiltrates victims’ passwords, cookies, browser history and autofill data, and cryptocurrency wallets. It also collects victims’ Apple Notes, Microsoft Word documents, and encryption keys.
Banshee Stealer avoids running on Macs with Russian set as the primary language. After collecting all the targeted data, it exfiltrates victims’ information to a server that appears to be located in Russia, based on its IP address.
Why does stealer malware collect cookies?
You might question the utility of collecting browser cookies. After all, cookies have a reputation as a tracking tool, thanks to the historical abuse of third-party cookies. But sites do often use cookies for legitimate purposes, for example to store your site preferences (such as light or dark mode, themes, default language, etc.).
Most people aren’t aware that cookies can also act as a proxy authentication method to keep you logged into a site. Therefore, by obtaining a victim’s session cookies, an attacker can often bypass the need to know a victim’s username and password—and can even bypass any two-factor authentication they may have enabled.
Once they’ve gained access to victims’ accounts, attackers could do a variety of nefarious things; for example, they could impersonate victims on social media, or send private messages or e-mails to victims’ friends, relatives, and colleagues. A victim’s contacts could then become secondary victims, if they fall prey to scams or malicious links that seemingly come from their friend.
How can I keep my Mac safe from stealer malware?
If you use Intego VirusBarrier, you’re already protected from this malware. Intego detects these samples as OSX/BansheeStealer, OSX/Downloader.go, virus/OSX/AVI.Agent.bbye, and similar names.
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.
If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.
One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. Just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.
If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.
Indicators of compromise (IOCs)
Following are SHA-256 hashes of malware samples from this campaign:
00284601ed89be5b44d9a4219f7ee271dfd68186937b41a26c283a6a129e7a28 03edcd7ad527fc90ea913eb76f74d12b111c1ed3a8dd6fd5f73fc2437aff3385 04a926b98c7d7e6b85916ef9dbb0e9068df318c399b696c04fbdfa3f0f591a21* 11aa6eeca2547fcf807129787bec0d576de1a29b56945c5a8fb16ed8bf68f782 653e769b11784a71e184ae145d3ba4447e332dabccb5958508edaf96f6f80d1b* 66eae1df6dedd0ad5dee7d6eaed8eb3e1edd93c5bb5cc54204f48506466a844a* 7210ce47323d4bdeb99bd27b22f00099000c473a04048e2c90576f81d1194647 7a6c0b683961869fc159bf8da1b4c86bc190ee07b0ad5eb09f99deaac4db5c69 92791b72b06e7d1eddd796c2afed565391a451d5daee5cc5083b86477acba8db 95b554f13d27126d04504cf35da185f572cfd6497cd86d6be0f21eb98fc4c75c a1e36c1b872fa4b2f39ff497a6c597769044e6275e0bb1ca1c1c9ae94a32cf80 b2a5b16d6c36cf6f50c0fabada8ceb5d1973af2bd7f8c9194f1f19b4efb0bd4f d556042c8a77ba52d39e211f208a27fe52f587047140d9666bbeca6032eae604* *first reported by Intego
This malware campaign leverages the following domains and IP addresses:
banshee-stealer[.]com ycf6a3d4lbdfksa3pvpe2xozacvb42fpttn3kah4bqt7txr3dxgwxpad[.]onion 45.142.122[.]92 154.216.18[.]135
Network administrators can check logs to try to identify whether any computers may have attempted to contact these domains or IPs in recent weeks, which could indicate a possible infection.
Banshee Stealer drops a malicious AppleScript payload at the following path:
/tmp/tempAppleScript.scpt
This file should be deleted if found on an infected Mac.
Do security vendors detect this by any other names?
Other antivirus vendors’ names for this malware may include variations of the following:
Gen:Variant.Trojan.MAC.Stealer.45 (B), HEUR:Trojan-PSW.OSX.Amos.w, IOS/ABApplication.EC, IOS/ABApplication.SYS, Mac.PWS.Stealer.4, MacOS/ABApplication.DHO, MacOS/ABTrojan.BMVB-, MacOS/ABTrojan.MKKD-, MacOS/ABTrojan.MVKB-, MacOS/ABTrojan.NDDU-, Malware.OSX/Agent.ymgcy, Malware.OSX/AVF.Agent.ladbk, Malware.OSX/AVI.Agent.bbyeq, Malware.OSX/AVI.Agent.gouso, Osx.Trojan-QQPass.QQRob.Dflw, Osx.Trojan-QQPass.QQRob.Fkjl, Osx.Trojan-QQPass.QQRob.Hjgl, Osx.Trojan-QQPass.QQRob.Kqil, Osx.Trojan-QQPass.QQRob.Kzfl, Osx.Trojan-QQPass.QQRob.Nzfl, Osx.Trojan-QQPass.QQRob.Ozfl, Osx.Trojan-QQPass.QQRob.Rgil, Osx.Trojan-QQPass.QQRob.Sgil, Osx.Trojan-QQPass.QQRob.Vimw, Osx.Trojan-QQPass.QQRob.Xtjl, OSX.Trojan.Gen.2, OSX/Agent.CC!tr.pws, OSX/Agent.ymgcy, OSX/AVF.Agent.ladbk, OSX/AVI.Agent.bbyeq, OSX/AVI.Agent.gouso, OSX/InfoStl-DP, OSX/PSW.Agent.CC, Other:Malware-gen [Trj], PossibleThreat, TR/Agent.fplgz, TR/Agent.hkgkp, TR/Agent.hqnuk, TR/Agent.pksuz, TR/Agent.slkgx, TR/Agent.xzqbb, TR/Agent.yscrf, Trojan ( 0040f5111 ), Trojan-Spy.OSX.BansheeStealer, Trojan:MacOS/Amos.AO!MTB, Trojan:MacOS/Multiverze, Trojan.Agent, Trojan.MAC.Generic.119790 (B), Trojan.MAC.Generic.119791 (B), Trojan.MAC.Generic.119793 (B), Trojan.MAC.Generic.119795 (B), Trojan.MAC.Generic.D1D3EE, Trojan.MAC.Generic.D1D3EF, Trojan.MAC.Generic.D1D3F1, Trojan.MAC.Generic.D1D3F3, Trojan.OSX.Amos.i!c, Trojan.OSX.Psw, Trojan.OSX.Stealer, Trojan.TR/Agent.fplgz, Trojan.TR/Agent.hkgkp, Trojan.TR/Agent.hqnuk, Trojan.TR/Agent.pksuz, Trojan.TR/Agent.slkgx, Trojan.TR/Agent.xzqbb, Trojan.TR/Agent.yscrf, Trojan.Trojan.MAC.Stealer.45, Trojan[stealer]:MacOS/Amos.AP8PHU, Trojan[stealer]:MacOS/Amos.w, Trojan[stealer]:MacOS/Multiverze.Gen, Trojan/Generic!14B160E67D415427, Trojan/Generic!8E8865F4CCCB0349, Trojan/OSX.Agent.920200, TrojanSpy/OSX.Stealer.k, UDS:Trojan-PSW.OSX.Amos.w, WS.Malware.1
How can I learn more?
For more technical details about this malware, you can read Elastic’s report, and watch L0psec Reversing’s video.
Intego would also like to thank Alex Kleber[1][2][3], DefSecSentinel[1][2], Karol Paciorek, L0Psec, Phil Stokes, and Victor Kubashok for their public contributions to research into this threat.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:
Image credit: Banshee by Michelle Monique (CC BY-SA 3.0)