HomeNewsNew PamStealer macOS Malware Uses Clever Know-How to Stay Stealthy (arstechnica.com) 4

New PamStealer macOS Malware Uses Clever Know-How to Stay Stealthy (arstechnica.com) 4

New MacOS Malware: PamStealer’s Stealthy Techniques Unveiled

An anonymous reader cites a report from Ars Technica, shedding light on a newly discovered MacOS malware dubbed “PamStealer.” This malware is noted for its sophisticated and stealthy approach to compromising Mac systems. By cleverly disguising itself and using custom-developed credential-stealing methods, PamStealer has become a significant threat to Mac users worldwide.

The Two-Stage Delivery Mechanism

The delivery of the PamStealer malware occurs in two distinct stages. Initially, it masquerades as “Maccy,” a legitimate clipboard manager for Mac, and is distributed as a disk image. This first stage is compiled into AppleScript, setting the stage for the subsequent infection process. The second stage is where the malware truly displays its ingenuity, utilizing Rust to create an infostealer that exploits the Pluggable Authentication Modules (PAM) interface built into macOS.

Deceptive Authentication and Execution

PamStealer’s unique tactics include displaying a native password prompt that mimics a legitimate system permission request. The prompt misleadingly states, “Maccy would like to make changes. Enter your password to allow this.” Once the user complies, the malware takes advantage of the PAM API to validate the entered password locally, without triggering conventional security alerts. This method avoids the usual calls to commands like dscl, security, and osascript, making detection by defenders significantly more challenging.

If the password validation fails, the malware persistently prompts the user until the correct password is entered. Subsequently, it deceives the user by displaying a message that claims the file is damaged and cannot be installed, cleverly concealing its malicious activity and preventing suspicion.

Advanced Information Stealing Tactics

PamStealer is designed to maximize the information it can extract from infected systems. One of its tactics involves requesting the user to grant full disk access to the counterfeit Maccy application. Additionally, the malware contains code specifically aimed at accessing Ethereum accounts, highlighting its potential threat to users’ financial assets.

The sophistication of PamStealer is evident in its use of various techniques, such as the Script Editor bait, a standalone JXA dropper, and the Rust-based second stage. These methods, combined with the local validation of credentials via PAM, make PamStealer a noteworthy and advanced piece of malware.

For more in-depth coverage of PamStealer and its implications, you can read the original report here.

“`

Must Read
Related News

LEAVE A REPLY

Please enter your comment!
Please enter your name here