Researchers from Jamf have uncovered a novel piece of macOS malware called PamStealer, which employs sophisticated methods to steal user credentials. Discovered recently, this malware targets Mac users by masquerading as a legitimate clipboard manager named Maccy.
How PamStealer Operates
PamStealer is delivered in two stages. The initial stage is a disk image that imitates the clipboard manager, while the second stage consists of credential-stealing code written in Rust. This malware utilizes the Pluggable Authentication Modules (PAM) interface in macOS to validate login passwords before sending them to an attacker-controlled server.
According to Jamf, the execution chain is notably quieter than typical macOS stealers. Instead of relying on common shell commands, the AppleScript executes a self-contained JavaScript for Automation (JXA) downloader that fetches and prepares the payload using native Objective-C APIs.
Stealthy Techniques and User Manipulation
PamStealer’s unique combination of techniques enhances its stealth. When users expect to install the genuine clipboard manager, they are prompted to press Command-R after double-clicking the disk image. This command runs malicious code embedded in the AppleScript, allowing it to bypass macOS’s com.apple.quarantine attribute, which typically warns users about executable files downloaded from the Internet.
The malware disguises itself as legitimate components of macOS, such as Finder.app or Software Update.app, running hidden and using macOS’s genuine icons to mislead users. This level of deception is designed to prevent detection and maintain user trust.
Enhanced Methods for Credential Capture
The second stage of PamStealer is a lean Mach-O file specifically crafted for Macs with Apple CPUs. It directly accesses database files via a bundled SQLite app, allowing it to gather sensitive information stealthily. Once the malware prompts users for their password, it validates the input locally through PAM.
As noted by Jamf, “This check is done entirely through PAM: there is no call out to dscl, security, osascript or any spawned process to verify the password.” This approach minimizes the processes that defenders need to monitor, making detection more challenging.
Upon successful password entry, the malware displays a deceptive message claiming the installation file is damaged, further obscuring its malicious intent. Additionally, it can request full disk access to the fake Maccy app and includes code to access Ethereum accounts, maximizing the potential information theft.
- Malware Name: PamStealer
- Delivery Method: Disk image masquerading as Maccy
- Primary Programming Language: Rust
- Key Techniques: JXA downloader, local PAM validation
- Deceptive Messages: “Maccy wants to make changes. Enter your password to allow this.”
🤖 This article was rewritten by Feed and Figures' editorial AI from a report originally published by Ars Technica. Facts and quotes are preserved from the original; the rewrite focuses on clarity and structure. For the unedited original, see the source link below.