Researchers discovered PamStealer, a novel macOS malware that stealthily collects user credentials. It employs unique delivery methods and a custom second stage, utilizing Apple's own mechanisms to evade detection and validation of passwords.
Jamf researchers have identified a newly discovered malware for macOS called PamStealer. This infostealer is notable for its unique methods of credential collection and execution, departing from common macOS malware practices.
PamStealer is delivered via a disk image disguised as 'Maccy', a clipboard manager for Macs. The first stage is an AppleScript that, upon execution, leads the user to inadvertently trigger the malware's payload.
Uncommonly, PamStealer utilizes a JavaScript for Automation (JXA) downloader to fetch its second stage, contrary to typical methods using shell commands. This technique enhances the stealth factor of the malware, making it less detectable.
The malware validates login credentials using the Pluggable Authentication Modules (PAM) interface built into macOS. This approach enables it to capture and send credentials to an attacker-controlled server effectively and discreetly.
PamStealer represents a significant evolution in macOS malware by combining familiar techniques with innovative methods to obscure its operation. Its ability to bypass macOS's security measures, such as com.apple.quarantine, raises concerns about user vulnerability to such stealthy attacks.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Researchers discovered PamStealer, a novel macOS malware that stealthily collects user credentials. It employs unique delivery methods and a custom second stage, utilizing Apple's own mechanisms to evade detection and validation of passwords.