Key facts
- A new macOS malware, PamStealer, has been identified by security researchers.
- The malware is distributed through a disk image disguised as the Maccy clipboard manager.
- It utilizes AppleScript and JavaScript for Automation (JXA) to download and execute its payload.
- PamStealer leverages macOS's Pluggable Authentication Modules (PAM) to steal user login credentials.
- The malware employs techniques to remain stealthy, including masquerading as system processes and encrypting traffic.
Researchers have uncovered a novel macOS malware, named PamStealer, that employs advanced techniques to stealthily steal user credentials. The malware's initial distribution method involves a disk image that appears to be Maccy, a popular clipboard manager for Macs. Upon execution, the malware utilizes a two-stage process.
The first stage is an AppleScript embedded within the disk image, which is designed to be opened in the macOS Script Editor. This script executes a self-contained JavaScript for Automation (JXA) downloader. This downloader retrieves the second-stage payload by using native Objective-C APIs, a method that researchers note is less common than typical shell commands.
The second stage, written in Rust, is the core credential-stealing component. It earns its name, PamStealer, by utilizing the Pluggable Authentication Modules (PAM) interface built into macOS. This allows the malware to validate a user's login password locally before transmitting it to a server controlled by the attackers.
PamStealer's stealth capabilities are enhanced by several factors. The use of both a disk image and AppleScript, combined with the JXA downloader, creates a quieter execution chain. When a user double-clicks the disk image, pressing Command-R immediately executes malicious code within the AppleScript, bypassing the com.apple.quarantine attribute that normally flags downloaded files. The malware further conceals itself by masquerading as legitimate macOS components like Finder, encrypting its communication traffic, and delaying critical prompts such as Full Disk Access requests for up to forty minutes to avoid correlating its activity with the application launch.
