A recent cybersecurity threat has emerged, targeting Mac users through a new malware known as PamStealer. Identified by Jamf Threat Labs, this information-stealing software employs sophisticated tactics to infiltrate systems and extract sensitive data, posing significant risks to users’ privacy and security.
Deceptive Distribution Methods
PamStealer is distributed under the guise of a legitimate application, Maccy, a well-known open-source clipboard manager. The malware is introduced through a compiled AppleScript file masquerading as the authentic software, exploiting macOS Pluggable Authentication Modules (PAM) to verify and capture users’ login credentials before proceeding with its malicious activities.
The delivery mechanism involves a two-stage process. Initially, the malware is disseminated within a disk image containing a compiled AppleScript, which subsequently downloads and activates an additional payload. This secondary payload, a Rust-based infostealer, is adept at stealing credentials, gathering browser data, ensuring persistence, and exfiltrating valuable information.
Exploiting Lookalike Websites
The initial access vector utilizes a deceptive website, “maccyapp[.]com,” which closely resembles the legitimate Maccy site, “maccy.app.” Upon execution, the AppleScript, cleverly concealed within the disk image, leverages JavaScript for Automation (JXA) alongside native Objective-C APIs to download and stage the stealer payload.
A notable aspect of this attack is its ability to operate even when the file retains the com.apple.quarantine attribute, a security measure by Apple. This capability, coupled with the Rust-based second stage and password capture workflow through PAM, results in a stealthy execution chain that evades typical detection methods.
Targeted Execution and Data Exfiltration
PamStealer incorporates advanced techniques to ensure its execution only on compatible systems. It checks the host’s environment, confirming it runs on Apple Silicon by generating a unique key based on system details such as CPU architecture and locale. This key is pivotal in unlocking an encrypted configuration containing the payload URL and installation path.
On systems with Intel architecture or those in specific regions, primarily Eastern Europe, the decryption fails, preventing the malware from proceeding. Once active, the script contacts an external server, retrieving a Mach-O binary, disguised as the Finder app, which harvests data from browsers, cryptocurrency wallets, and more.
The malware further manipulates users into providing their system password by presenting a native prompt. Through repeated attempts, it ensures the correct password is obtained, subsequently displaying a decoy message that suggests the application is damaged and should be discarded, misleading victims into believing the download was unsuccessful.
Response from the Maccy Developer
This deceptive campaign has led Alex Rodionov, the creator of Maccy, to issue warnings on official platforms, cautioning users about fake websites that distribute malware under the guise of Maccy. He emphasizes that “maccy.app” is the sole legitimate source for the software.
The emergence of PamStealer highlights the evolving tactics of macOS malware, which increasingly adopt discrete execution methods and native implementations to bypass traditional security measures while maintaining compatibility with standard macOS functionalities.
