Newly Discovered PamStealer: A Unique Threat in the macOS Malware Landscape

Researchers have uncovered a sophisticated piece of macOS malware that utilizes innovative techniques to stealthily infect Macs and steal user credentials. This malware, dubbed PamStealer, is a testament to the evolving landscape of cyber threats targeting businesses and individual users alike.

PamStealer employs a two-stage infection process. Initially, it is distributed through a disk image that poses as Maccy, a legitimate clipboard manager for macOS. This initial stage is executed as an AppleScript, which serves not only to distribute the malicious payload but also as a gateway to its more insidious functionality. The malware is notable for its use of Rust programming language in its second stage, which utilizes the Pluggable Authentication Modules (PAM) framework of macOS to validate the victim’s login credentials and relay this information to a server controlled by the attacker.

A noteworthy feature of PamStealer is the method by which it conceals its operations. The malware takes advantage of the macOS Script Editor; upon double-clicking the disk image, users are prompted to execute the script using Command-R, triggering the malicious code without raising immediate alarms. This maneuver effectively bypasses the standard macOS security mechanism referred to as com.apple.quarantine, which typically alerts users to potentially harmful files downloaded from the Internet.

According to security experts at Jamf, the combination of disk images and AppleScripts is a common tactic in macOS malware; however, PamStealer stands out due to its distinct execution chain. It avoids conventional shell commands commonly used in malware by leveraging a JavaScript for Automation (JXA) downloader involved in payload retrieval. The advanced design minimizes detection opportunities and provides a more subtle execution path compared to typical macOS credential stealers.

The malware is engineered to remain inconspicuous; it masquerades as legitimate macOS applications, including Finder and Software Update components, thus running undetected. These forged applications employ genuine macOS icons, further obscuring their malicious intent. Not only does PamStealer encrypt its command-and-control communications, but it also delays prompts for permissions, such as the Full Disk Access request, allowing it to operate without attracting immediate scrutiny.

From a cybersecurity perspective, this incident highlights key tactics from the MITRE ATT&CK framework relevant to the attack. The initial access phase utilized deception through a benign-looking interface to lure victims into executing the malware. Persistence was emphasized via the disguised application approach, and privilege escalation techniques were employed when the malware called upon PAM for credential validation.

In summary, the emergence of PamStealer illustrates the continuing evolution of malware targeting macOS systems, adapting methods that reduce detection risks while enhancing the malware’s effectiveness. Business owners and cybersecurity professionals must remain vigilant against such threats, understanding the methodologies and tactics employed by adversaries to safeguard their networks and sensitive information.

Source