Since November 2024 there has been an increase on Mac OS devices infected by the Banshee Stealer malware affecting many users and companies [1].
Apple invests a lot of resources on protecting their software and hardware, it is well known for XProtect, Notarization and Gatekeeper anti malware software that analyze the programs and the signatures of applications that are running on the Mac devices [3] .
We have heard the saying “Mac OS can’t get viruses” or something similar. But all tech guys know that this claim is false.
But even with this technology already installed, there are still different kinds of malware that can successfully infect our devices and start a chaos in our personal devices or work stations. Let’s analyze how the Banshee Stealer malware works and how you can be protected against it.
Even an Apple can be infected with a worm![5]
How can this malware affect Mac OS?
Since Mac OS is based on a UNIX kernel, it only has read access permissions. So in theory it is protected against modifications and it makes it more complicated for viruses to attack specific parts of the OS and change the normal software behavior. But there are options to bypass this “protection”.
Banshee source code has recently been released, it is a C code that modifies kernel permissions and specific modules to allow modification on sensible parts of the OS.
Part of the CPU protection code[4]
After allowing write permissions on the kernel, it creates backdoors and scale privileges to have more control over the computer. To do so, it is necessary to have a deep knowledge on how the Mac OS operates and how process IDs are running when the computer is on. Specially it got my attention the next code:
Part of the Banshee Stealer code trying to guess specific memory addresses[4]
It shows how certain memory addresses are used for specific OS operations. It is calculated at the moment of the program execution based on certain well known parameters.
It is very interesting how they moved bits dynamically to get the correct location depending on certain memory address parameters. It clearly shows a good knowledge on how the Mac OS kernel works.
No doubt why this malware has been used as the new malware trend. It has been used as a Malware as a Service and charged over $3,000 for a monthly subscription [2]. Fortunately (not much for Banshee’s creators) the source code was leaked and the service has been canceled. But even so it is important to be protected against this malware that can steal data and make the computer unavailable.
How can we be protected against these threads?
The best protection is a combination of different measures and tools. Starting with prevention, this virus was spread in Github repository links and downloaded from uncertified software. So, safe browsing and awareness campaigns can help you to recognize the threat of getting infected by this malware.
Also, keeping the Mac OS version up to date will help to protect devices against new malware. Although there is not a silver bullet, it is important to be constantly informed and to keep monitoring your devices to prevent any issues with our cyber security.
References:
[1] https://www.securityweek.com/source-code-of-3000-a-month-macos-malware-banshee-stealer-leaked/
[2] https://www.securityweek.com/source-code-of-3000-a-month-macos-malware-banshee-stealer-leaked/
[3] https://support.apple.com/en-ca/guide/security/sec469d47bd8/web
[4] https://github.com/vxunderground/MalwareSourceCode/blob/main/MacOS/MacOS.Rootkit.Inficere.zip
No system, including macOS, can be definitively declared “free from malware.” Users should always remain proactive about their cybersecurity measures, regardless of the operating system they use
Great Post, Oscar. Like you, I was particularly interested in the screenshot you provided for the malware attempting to guess memory addresses. The function looks to be searching for the interrupt at address 80 within the interrupt table, which—at least in Linux—should only be accessible to the kernel, which displays a worrying amount of permission that this malware is able to obtain. Interrupt 80 in particular, which I assume to be 0x80, is specifically for requesting syscalls, or calls from user space to kernel space, and if the malware is trying to find that address, which I presume to be obscured by something like ASLR, it seems to be trying to take control of that functionality, perhaps as a means of root-kitting the system and hiding itself from users, which is particularly insidious. This post perfectly illustrates why people should never rely on the fact their their particular operating system “doesn’t get malware,” and in fact battle-hardened OS’s like Windows may be less vulnerable to malware nowadays because these sorts of easy vulnerabilities have already been exploited and mitigated, and proactive security measures, such as a built-in antivirus, are well established.
Thanks for the comment Kyle! I really was moved into how they actually guess the memory addresses. It is amazing what hackers can do with correct motivation, but I think that there could be an internal source leaking information on how the Mac OS address works, giving hints on how the memory and processes in the OS works (intentionally or accidentally). It could provide enough information to hackers on how to bypass certain security models and access.
I also agree with you on the Windows claim, when you have more experience on how to battle the attacks, you have more knowledge on how to protect your products.
Fantastic post, Oscar! Back then, some believed that Macs couldn’t receive viruses. “Mac OS can’t get viruses” is a prevalent fallacy that has survived for years, thanks to Apple’s marketing campaigns. Malware-as-a-service (MaaS) enables cybercriminals to launch attacks without developing it themselves. Cybercriminals no longer require a significant technical background to carry out a malicious hack. With preventative measures and a robust cybersecurity strategy, you can sleep soundly at night, knowing your devices and company data are safe from a MaaS attack.
Thanks for the comment John! Yeah, the myth around Mac was widely spread and it gave them a little extra good publicity. It is good to know that we are more aware about the threats out there and how to be protected against them. And I agree that more and more script kiddies emerge and think that they can “hack” bank accounts and get easy money that way. The bad side of this is that there are still many IT systems without the proper security measures and they are vulnerable to attacks. Better keep an eye on our Macs.
Fantastic post, Oscar! Back then, some believed that Macs couldn’t receive viruses. “Mac OS can’t get viruses” is a prevalent fallacy that has survived for years, thanks to Apple’s marketing campaigns. Malware-as-a-service (MaaS) enables cybercriminals to launch attacks without developing it themselves. Cybercriminals no longer require a significant technical background to carry out a malicious hack. With preventative measures and a robust cybersecurity strategy, you can sleep soundly at night, knowing your devices and company data are safe from a MaaS attack.
Great post, Oscar! It’s fascinating yet concerning to see how attackers use detailed knowledge of macOS internals to develop advanced malware like Banshee Stealer. The Malware-as-a-Service trend shows just how accessible cybercrime has become. I completely agree with your emphasis on safe browsing and avoiding the downloads of uncertified software. I’d love to see more on how users can detect if their systems have already been compromised by this malware.
Nicely done Oscar!! Emphasising the malware’s use as Malware-as-a-Service and its capacity to take advantage of kernel rights highlights how cybercriminals’ strategies are constantly changing. The helpful suggestions for prevention and the need of staying informed and alert provides us readers with important directions to improve our cybersecurity.
Excellent Post Oscar! And a little wake up call for all Mac Users. I totally echo the core message of this post that clearly calls out how Malware-as-a-Service (MaaS) models are lowering the entry barrier for attacks, and it is making some of these sophisticated threats more accessible. It is definitely a stark reminder that no system, however secure they call themselves, is not immune to security risks. As these kinds of threats continue to evolve, it is absolutely important that consumers stay informed and vigilant.
Thanks for the comment Achu. I agree that modern MaaS are simplifying the attack process. Even individuals with no technical skill can perform sophisticated attacks on groups or individuals. The more we know on how the attacks can be performed the more we can be protected. It is important to be informed and to make it a regular practice to avoid future problems as much as possible. I also agree that all platforms have vulnerabilities and there is no silver bullet solution for keeping our assets safe.
Really interesting post Oscar. It’s always nice seeing awareness created for malware especially for malware that targets systems that aren’t windows. I agree with your sentiment about how it’s really interesting how the malware dynamically calculates memory address. In one of my undergraduate classes, we had to perform exploits by changing bits in memory and just statically getting memory address what very difficult in itself so dynamically figuring it out is super impressive. What also stands out to me is the Github repository links was how it was being spread. Which is a little scary as at least for me sometimes I’ll just trust a repository if it’s seeming like it’ll be a solution to my problem at the time. Though this is a good reminder to always be more vigilant and double check what I’m downloading before I do it.
Great post, Oscar. It’s interesting how creative threat actors can be and how vulnerable our systems are. What was most concerning and surprising, though, was how even a well-used and trusted platform such as Github, which is mostly used for technical and educational purposes, is integrated with software. As you mentioned, this highlights the importance of web browsing. Ensuring safe browsing, awareness campaigns, and regular software updates is critical with all systems.