Mac Users – Beware of Current Malware

There is a virus for Mac named Banshee Stealer that is potentially affecting millions of Mac users.

IMMEDIATE ACTIONS REQUIRED:

– Never enter your Mac user or admin password unless you recognize the need to enter it because of an action you’re performing, such as powering on your Mac.

– Back up your critical data immediately in case you need to perform a clean MacOS install

– Because Banshee Stealer is unnoticeable, strongly consider running an anti-malware tool capable of detecting it.

What Anti-Malware Tools Work?

Intego, Malwarebytes, and Combo Cleaner are the only Mac-based anti-malware tools that I can find today that advertise that they can identify and stop the newest version of Banshee Stealer. There might be others. Combo Cleaner is available in the Mac App Store. Downloading apps from the store reduces the likelihood of getting a fake infected version. We don’t endorse any of the tools mentioned, nor do we receive any compensation. There are many online reviews about those two products. Stay current with your Mac OS updates, and hopefully, Apple’s built-in tools will soon detect and conquer the newest version of Banshee Stealer.

I realize many Mac users do not want to install anti-malware. If that’s you, please carefully understand all the information in this article to reduce your exposure. The newest variant of Banshee Stealer cleverly evades Apple’s built-in anti-malware tool, XProtect.

What is Banshee Stealer?

The sophisticated Banshee Stealer malware compromises computers and laptops running MacOS, including Intel-based Macs and those with Apple Silicon chips. Attackers use it to breach privacy, inflict financial losses, and steal identities. So far, iPhones and iPads have not been affected by Banshee Stealer. In my presentations and speeches, participants often ask if Macs are susceptible to viruses and other malware; this is an example of when they are.

Banshee Stealer is a new variant; it started as Malware-as-a-Service (MaaS). Threat actors could purchase access for $3,000 per month to attack Mac users. The new variant resurfaced in September, using encryption from Apple’s XProtect anti-virus tool, evading antivirus detection for months.

How Can Your Computer Become Infected with Banshee Stealer?

• If you click on links in email messages that take you to a site that might appear normal but will infect your computer with Banshee Stealer
• If you open attachments to email messages that contain the Banshee Stealer malware or take you to a site that downloads and installs Banshee Stealer
• Scanning QR codes in email mail or other messages for the same reason
• If you enter your username and password into what appears to be a legitimate Apple pop-up
• Downloading programs and applications that have Banshee Stealer hidden inside
• If you follow a fake prompt that tells you an update or program needs to be installed, a password needs to be reset, or some application asks to use your camera or microphone or have some other elevated privilege.

Symptoms:

Banshee Stealer is designed to be undetectable. You might not find out your Mac was infected until your finances, identity, and privacy are in shambles. Possible symptoms include:

• Your Mac computer or laptop starts behaving differently than before.
• You might receive unexpected prompts asking you to install software, reset your password, grant permission, etc.
• If you notice that your bank or other online accounts have been compromised, an attacker may have used Banshee Stealer to steal your passwords.
• If your Mac starts operating much slower than before, or if the battery life seems shorter, Banshee Stealer might upload data in the background or perform other activities on your computer.
• If you notice unexpected file changes on your computer
• If you have a Crypto Wallet that gets compromised.

What to Do to Help Prevent Infection:

Strongly consider using anti-malware capable of detecting Banshee Stealer, as discussed above.

Beware of all prompts that pop up on your screen that look like they are Apple prompts asking for your password. Banshee Stealer is great at mimicking the Apple prompts, and if you enter your username and password, Banshee Stealer captures them. It is essential that you only enter your username and password when you are actively expecting to need to, such as:

• When you power on the computer or when you log in after the screen is locked
• When you are installing new software right then
• When you are logging into Keychain
• When you told the Mac to install system updates
• Administrative tasks like when you are intentionally accessing system files
• And some of the changes to system preferences you’re making right then.

Only install programs and applications from trusted companies. Remember that attackers can sometimes infect trusted companies and install malware without the software provider’s knowledge. This is called a supply chain attack, and it can be very successful if people trust the website or tool. Getting programs from the Mac App Store helps minimize the risk of downloading malware hidden inside an otherwise functional program.

Do not double-click on a link or button on a website. Legitimate website navigation involves single-clicks. Threat actors have determined that people will follow instructions to double-click or double-click if something does not seem work the first time. During a double-click process, attackers will quickly replace the original link with a malicious one right after the first click before the second. Users do not realize what they’ve done and might have executed a script or unknowingly performed another task the threat actor wanted.

Do not click on links in email messages or other messages, and do not scan a QR code—it functions as a link. Do not click on links on services such as YouTube; threat actors will put links into the descriptions and comments. View every link everywhere as suspicious and avoid clicking.

Do not open attachments that arrive via email or another method unless you confirm with the sender that it is indeed the file they sent. Remember that attackers can compromise other companies or users and use their email addresses to send malicious files when you expect them. This is a way for even the most security-conscious people to be infected.

Update your MacOS regularly. Instead of answering a prompt on your screen telling you about an update, regularly click on the apple in the top left corner and choose System Settings, General, then Software Update.

Consider removing as many browser extensions as possible. Sometimes malware infects browser extensions or comes included when you install an extension.

Use multi-factor authentication (MFA) on all the websites, Software as a Service (SaaS) solutions, and everywhere else you can. Choosing to receive a text message for the second step of the login process is much better than having no MFA, but it is not the most secure choice due to the SIM-Swapping attackers use. They learn as much as they can about you, frequently using AI, and contact your phone provider and try to convince your provider that they are you and that you have a new SIM chip or a new phone. Recent breaches have exposed your location history gathered by companies who write apps and sell your location information. Threat Actors can use AI to combine location information with publicly available data to learn much about you and your life. If the phone provider is duped, they’ll successfully take over your account and be able to receive the text messages on their device. If you ever change your phone number, you’ll need to go to all the websites where you set up text-based MFA, disable MFA, and re-enable MFA when you get the new number.

For more secure multi-factor authentication, if the website or SaaS tool allows, set up an authenticator app on your smartphone that generates a number every thirty seconds. This Time-Based One-Time Password (TOTP) is more secure because it doesn’t rely on a text message. Popular authenticators include Google Authenticator, Microsoft Authenticator, Authy, and more. (Same disclaimers as above). Be sure to back up your authenticator app in case you lose or upgrade your phone. Otherwise, you could be locked out of everything you set up for TOTP. If you can’t generate the codes, you won’t be able to log in to the sites that require that code. There are other options that are more secure than text message-based MFA, including USB Keys, Passkeys, etc.

Be sure you use different passwords for every website or SaaS offering. When attackers compromise your password anywhere, they’ll perform credential stuffing, meaning they try the same username and password at dozens of other popular websites and SaaS platforms. It is challenging to remember passwords, and password manager software can be very helpful. Password managers remember your passwords for you and can fill them in when prompted. Although web browsers have this feature, too, many people consider password managers more secure since, if an attacker compromises your browser, the passwords are not readily available to them. Some password managers will synchronize across multiple devices, reset weak passwords for you, and offer other features. It is almost always best not to use the VPN and other services that come with password managers. 1Password, DashLane, Keeper, LastPass, and many others are common. (Same disclaimers about not endorsing these nor do we get compensation). And Apple has revamped the MacOS Keychain password manager to be more secure than it was. When you use a password manager, be sure it is backing up somewhere in case you lose your laptop. Apple Keychain automatically backs up to iCloud and synchronizes across your other devices.

If you have sensitive data, consider encrypting the files in case Banshee Stealer or other malware accesses and steals them.

Computers and devices communicate through a network, copper or WiFi. Malware can move from one computer to another. If you use your Mac at home and family members have Macs who aren’t as careful as you are, having a segmented network for you to use, separate from everyone else, helps protect you from malware spreading from their computers onto yours. Segmentation is slightly technical, and the easiest way to segment a home network might be to have all the other family members connect to the “guest” network and use the primary network.

Set up text messages for all financial transactions. Most financial institutions offer SMS or email alerts whenever transactions larger than a certain amount are processed. I have my accounts set to text me anytime a transaction of more than one dollar occurs on any account because that is the minimum amount my banks allow. Yes, I receive many alerts, but I’d prefer to receive many alerts than not knowing about an unauthorized withdrawal. Continue to monitor bank statements and other financial records.

If your company has an Extended Detection and Response (XDR) solution, contact your IT professionals to be sure they’ve installed the XDR agent on your Mac, too. If your business isn’t already using XDR, you must. This technology is designed to detect and stop malicious activity before it has time to do much, if any, harm. Examples of XDR tools include Crowd Strike, Cynet, Sentinel One, and more (we don’t endorse nor receive compensation for mentioning them).  As cybersecurity consultants, we recommend that our customers get XDR from their IT Team’s vendor. The typical approximately $20/mo/user seems expensive until after a breach. Many companies get breached even though they have XDR in place, but the most common reason is that something wasn’t implemented correctly or there is a breakdown or delay in communications. Companies engage with us to perform independent periodic vigorous red team exercises to attack and test their XDR response. Most XDR implementations fail the first exercise, but finding weaknesses before the threat actors do is the point. After the exercise and forthcoming recommendations are implemented, a company is much more prepared for a real-world attack.

This recommendation isn’t for everyone; I left it for last. Implementing this can be complicated and frustrating and is most often initiated by enterprises using Windows and Mac. Another strategy to help avoid getting malware from websites is to use a hosted browser, also known as browser isolation. This service runs a web browser on their servers, and your computer shows you their browser. Thus, all browser attacks will attack the company hosting the browser, not your computer’s browser. Sometimes, hosted browsers work better than others, but you might consider this option to further isolate and protect your computer from browser-based threats. For example, if a website wants to access your local mic and camera, it won’t work since you’ll be using the hosted browser. But this protects you from malicious websites that take over your mic and camera. My research to locate a hosted browser for the Mac was complex, and I want to rush this blog to the press due to the urgency of Banshee Stealer. Candidates for stand-alone hosted browser solutions for the Mac include Menlo Secure Cloud Browser, Authentic8, and the Puffin Browser. Zscaler and Cloudflare also offer hosted browser solutions for the Mac, but they don’t seem to be sold as a stand-alone solution but as part of a larger package. We are not endorsing or receiving any compensation for listing those products.

Proactive Steps to Take In Case You Get Infected:

There are other steps to take that will help you if you do get infected. Be sure you are backing up with Mac OS’s built-in Time Machine or another service. Using multiple external USB drives for backup and rotating them is a great idea. Mac OS will keep track of each drive and apply the backups when you plug in the specific drive. Strongly consider an online backup service. Examples of highly rated cloud backup services for Mac users include BackBlaze, iDrive, and Acronis, but there are others. We are not endorsing those, nor do we receive any compensation for recommending them. You might even copy your files to an online storage service; use multi-factor authentication and all the other industry-best cybersecurity practices for cloud storage. Some people copy their most important files to one or more external drives, leaving them disconnected except when copying files.

What to do if you think you are infected:

Turn off your Wi-Fi or disconnect your Ethernet cable to stop any more files from being stolen and uploaded.

Run an anti-malware package described above under prevention.

Continue to watch your financial accounts for any suspicious activity.

Follow all the steps above under the section on what to do to avoid infection.

Consider moving your assets to a new, secure wallet if you use cryptocurrency.

You should contact gurus at Apple or another support organization who can help you with your Mac.

Reset all of your passwords. If you are not using a password manager, now might be a good time to do so.

Decide whether to alert your business and associates that if they receive an email pretending to be from you, it is likely not from you.

If you want to feel confident you’ve removed all of the malware, consider backing up your data and performing a clean install of macOS.

Final Thoughts:

I hope you do not become infected with Banshee Stealer and are not already infected, which is tricky to detect. Following the guidance in this article can also help protect you from other Mac malware. Tell your friends.