New ‘PamStealer’ Mac Malware Double-Checks Your Password Before Stealing Your Data

A Mac Studio and Studio Display on a modern desk showing a large bug and virus infection warnings on the screen.
Text Size
- +

Toggle Dark Mode

A recently discovered bit of macOS infostealer malware first verifies stolen Mac login passwords before stealing your sensitive data, say researchers at Jamf Threat Labs. By confirming the purloined passwords, attackers have immediate confirmation that the stolen login credentials will work.

Malware in Disguise

Researchers says a new macOS malware campaign has been built around an infostealer called PamStealer, which disguises itself as the legitimate Maccy clipboard manager, using AppleScript with a Rust payload to infect Macs.

This Limited-Time Microsoft Office Deal Gets You Lifetime Access for Just $39

Sick and tired of subscriptions? Get a lifetime license for Microsoft Office Home and Business 2021 at a great price!

Once login credentials are compromised, PamStealer then verifies login passwords through Apple’s Pluggable Authentication Modules before continuing to steal your data. The password verification feature is a bit unusual among other macOS infostealers, which traditionally just capture any password a target enters without the confirmation step.

Here’s How It All Works

Bad actors will set up a fake website that closely resembles the legitimate Maccy clipboard manager site. The fake website is designed to deliver a malicious AppleScript app disguised as Maccy. The malicious doppelganger site is hosted on the fake domain maccyapp[.]com.

jtl download maccy

Once the malicious download has been opened, it first checks the system characteristics, keyboard layout and regional settings to confirm that the machine is an intended target before running.

It then downloads a second Rust payload, the “Mach-O” infostealer, which is designed to handle the theft of credentials and browser data, establishing persistence and exfiltration.

PamStealer captures login credentials by displaying what appears to be a legitimate macOS authorization prompt asking the user to enter a password so Maccy can make changes.

While most malware then simply records and saves whatever the victim enters, PamStealer goes the extra mile, validating the password through Apple’s Pluggable Authentication Modules before continuing. This technique uses a legitimate macOS framework to validate the credentials, confirming it’s collected legitimate login information.

Once the password is validated, the second-stage Rust payload begins its dirty work, collecting a wide range of data from the infected system, including saved credentials, SQLite databases, browser cookies, browsing history, clipboard contents, and even cryptocurrency wallet data.

The stolen information is then encrypted before being sent back to the bad guys, making the illicit network traffic more difficult to inspect.

PamStealer relaunches automatically after a user signs in, even impersonating Finder in an attempt to gain Full Disk Access, which greatly expands the amount of information that can be collected without additional authorization prompts.

jtl maccy script

Jamf says PamStealer’s second-stage malware being written in Rust makes reverse engineering of the malware more difficult, as many strings and code paths are resolved only while the malware is running, not appearing directly in the compiled binary code.

PamStealer is a member of the ever increasing group of Mac malware that does not rely solely on malicious code, but instead abuses legitimate operating system features to do its dirty work. This reflects the ongoing evolution of macOS-targeted malware that doesn’t rely on previously unknown vulnerabilities.

How to Protect Yourself

Protecting yourself from PamStealer and its like consists of safe computing. Only download software from known and trusted sources. You should also always be skeptical of any unexpected administrator password prompts and closely review any Full Disk Access requests, granting access only to apps you trust.

For more information about PamStealer, visit the Jamf Threat Labs website.

Sponsored
Social Sharing