HomeNewsNewly Discovered PamStealer Is Not Typical macOS Malware

Newly Discovered PamStealer Is Not Typical macOS Malware

Researchers have discovered never-before-seen macOS malware that combines a series of clever techniques to infect Macs with stealthy, custom-developed credential-stealing code.

The malware is delivered in two stages. The first is distributed in a disk image that masquerades as Maccy, a clipboard manager for Mac. It’s compiled into AppleScript, which is notable for how it delivers the second step. The malware is named PamStealer because the infostealer written in Rust uses the Pluggable Authentication Modules interface built into macOS to validate the target’s login password before sending it to an attacker-controlled server.

A Quieter Execution Chain

The use of both disk imaging and AppleScript is common in Mac malware. More unusual is how PamStealer combines them to gain stealth. When you double-click AppleScript, it opens in the macOS Script Editor, where the malicious functionality is buried deep in the file.

“Rather than relying on shell commands like curl or zsh, AppleScript runs a standalone JavaScript for Automation (JXA) downloader that fetches and organizes the payload using native Objective-C APIs,” wrote researchers at Jamf, a security company for macOS users. “Combined with a Rust-based second stage and a password capture workflow that validates credentials locally via PAM, the result is a quieter execution chain than we typically see in commodity macOS thieves.”

Bypassing Security Measures

When a user, expecting to install a trustworthy clipboard manager, encounters the disk image, they are prompted to press Command-R immediately after double-clicking it. This command directly executes malicious code in AppleScript. It also allows the runtime to bypass com.apple.quarantine, a macOS attribute that provides warnings and restrictions when executable files have been downloaded from the Internet.

As Jamf explained:

PamStealer combines an emerging delivery surface with a less familiar payload. While the .scpt clickbait and Script Editor builds on know-how that is already increasingly adopted across the macOS threat landscape, the malware distinguishes itself with a standalone JXA dropper, a Rust-based second stage, and a password capture workflow that validates credentials locally via PAM before harvesting them. This second stage expends considerable effort to remain hidden, impersonate the Finder, encrypt its command and control traffic, and withhold prompts such as requesting full disk access for forty minutes so that its activity does not match launch. Together, these behaviors illustrate how macOS thieves continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features.

Disguising as Native Applications

The first step places its payload in a set of applications that impersonate real components built into macOS. The component changes from one malware sample to another. Finder.app under com.apple.finder.core or com.apple.finder.monitor, and Software Update.app under com.apple.security.daemon, are two examples. In both cases, they are hidden. They also display the real macOS Finder.icns as their icon.

For more detailed information about this emerging threat, you can read the full article Here.

“`

Must Read
Related News

LEAVE A REPLY

Please enter your comment!
Please enter your name here