PamStealer is a newly discovered threat targeting macOS systems, masquerading as the popular clipboard manager, Maccy. This sophisticated malware quietly gathers user data while avoiding detection.
How PamStealer Operates
Uncovered by Jamf Threat Labs, PamStealer uses a two-stage infection process that blends seamlessly with regular macOS activities. This begins with a deceptive disk image file named “Maccy.dmg” that contains an AppleScript file.
When activated, the file prompts users with benign-looking instructions. This trickery sets off the embedded malicious code, which then initiates the first stage by executing a JavaScript for Automation (JXA) payload through macOS APIs.
Stealth Techniques and System Checks
PamStealer’s method reduces system activity visibility, downloading a secondary payload that disguises itself as a legitimate macOS component. It performs environment checks, generating a unique key from system attributes and exits if mismatches occur.
The malware avoids specific regions, such as Russia, by examining language settings. In its second stage, a Rust-based Mach-O binary conducts activities like credential theft and data exfiltration.
Impact on User Data
Accessing browser databases via SQLite, PamStealer extracts passwords and cookies while leveraging macOS Security frameworks to stealthily access Keychain data. A deceptive system prompt captures user passwords, validating them locally with PAM.
Clipboard monitoring is constant, using the pbpaste utility to collect sensitive information at random intervals. The malware ensures persistence by registering as a login item under both modern and legacy macOS systems.
Communication and Indicators of Compromise
PamStealer communicates with its command-and-control server through encrypted channels, potentially utilizing blockchain infrastructure for resilient control. Multiple indicators of compromise (IOCs) have been identified, including suspicious domains and deceptive file paths.
This threat underscores the growing complexity of macOS malware, combining native APIs with advanced social engineering to escape traditional detection methods. Users are advised to enhance security measures to counteract these evolving threats.
