Researchers have identified a new macOS malware, named PamStealer, which employs advanced techniques to stealthily infect Macs and steal credentials. The malware is delivered in two stages, starting with a disk image disguised as Maccy, a legitimate clipboard manager. It features an AppleScript that executes malicious functions when the user interacts with it.
PamStealer utilizes a Rust-based infostealer that interacts with the Pluggable Authentication Modules (PAM) system in macOS to verify and transmit login credentials to the attacker. This method allows for a quieter and more discreet execution process compared to usual macOS malware.
Instead of typical shell commands, PamStealer employs a JavaScript for Automation (JXA) downloader using native Objective-C APIs, enhancing its stealth. When users attempt to install the clipboard manager, they unwittingly execute malicious code by pressing Command-R, which circumvents macOS security warnings.
The malware’s design incorporates various macOS components disguised to evade detection, while also encrypting its command and control traffic. By suppressing prompts and maintaining a low profile, PamStealer illustrates the evolving nature of macOS threats, making detection increasingly challenging.
Source link


