Key facts
- A new macOS malware named PamStealer has been identified.
- PamStealer is designed to steal user credentials.
- The malware uses a disk image disguised as a clipboard manager.
- An AppleScript is used to deliver the malware's payload.
- PamStealer leverages the macOS Pluggable Authentication Modules (PAM) interface.
Researchers have uncovered a new strain of malware targeting macOS systems, identified as PamStealer. This malware employs sophisticated techniques to achieve its objective of stealing user credentials. The initial infection vector involves a disk image that is designed to look like a legitimate clipboard manager application, a tactic aimed at deceiving users into executing it. Once activated, PamStealer utilizes an AppleScript to deliver its malicious payload. A key aspect of its operation is the exploitation of macOS's Pluggable Authentication Modules (PAM) interface. By leveraging PAM, the malware gains the ability to access and exfiltrate sensitive user authentication information from the compromised system. The use of PAM suggests a deliberate effort by the malware's creators to bypass standard security measures and gain deeper access to the operating system's authentication mechanisms.
