Connect with us

Mobile Tech

PamStealer: The Malware that Pre-verifies Stolen Passwords

Published

on

A Mac Studio and Studio Display on a modern desk showing a large bug and virus infection warnings on the screen.

An infostealer malware targeting macOS has been discovered by researchers at Jamf Threat Labs. This malware, known as PamStealer, first verifies stolen Mac login passwords before proceeding to steal sensitive data. By confirming the stolen passwords, attackers can ensure that the login credentials they have obtained will work.

Malware Disguised as Legitimate Software

PamStealer disguises itself as the legitimate Maccy clipboard manager and uses AppleScript with a Rust payload to infect Macs. This new macOS malware campaign revolves around PamStealer, which goes through the Apple’s Pluggable Authentication Modules to verify login passwords after compromising them. This verification step is uncommon among macOS infostealers, as they typically capture passwords without confirmation.

Operation of PamStealer

Cybercriminals create a fake website resembling the legitimate Maccy clipboard manager site to distribute the malicious AppleScript app disguised as Maccy. The fake website, hosted on the domain maccyapp[.]com, delivers the malicious download. Once opened, the malware checks system characteristics before downloading a second Rust payload, the “Mach-O” infostealer, designed to steal credentials, browser data, and more.

PamStealer tricks users by displaying a fake macOS authorization prompt to enter a password, validating it through Apple’s Pluggable Authentication Modules. The second-stage Rust payload then collects various data from the infected system, encrypts it, and sends it to the attackers.

PamStealer relaunches automatically after a user signs in, attempting to gain Full Disk Access by impersonating Finder. This allows it to collect more information without additional authorization prompts. The use of Rust in the second-stage malware makes reverse engineering more challenging.

PamStealer is part of a growing trend in Mac malware that exploits legitimate OS features. Protecting against PamStealer involves downloading software from trusted sources, being cautious of unexpected prompts, and reviewing access requests closely.

See also  Crunchyroll's Security Breach: Hacker Claims to Have Stolen Data of 6.8 Million Users

Protecting Yourself

To safeguard against PamStealer and similar threats, practice safe computing habits. Download software only from reputable sources, be wary of administrator password prompts, and carefully assess Full Disk Access requests. For more information on PamStealer, visit the Jamf Threat Labs website.

Trending