Source linked

PamStealer Malware Hijacks macOS PAM to Steal Credentials

arstechnica.com@systems_wire2 hours ago·Cybersecurity·2 comments

PamStealer, a two-stage Rust infostealer, masquerades as the Maccy clipboard manager and uses AppleScript to quietly extract login passwords via Pluggable Authentication Modules.

pamstealermacosmaccypluggable authentication modulesapple scriptrust

PamStealer doesn't just steal your macOS passwords—it validates them first by hooking into the system's own Pluggable Authentication Modules (PAM). That's a level of stealth and specificity that sets it apart from typical macOS malware.

A Two-Stage Masquerade

The initial infection vector is a disk image that poses as Maccy, a legitimate clipboard manager for Macs. Inside that image sits an AppleScript file. When a victim double-clicks it, macOS opens the script in Script Editor, where the malicious functionality is buried deep within the file. That ordinary-looking behavior—opening in the editor—helps the malware fly under the radar.

AppleScript itself isn't unusual for Mac malware, but the way PamStealer layers it matters. The script acts as a first stage loader that pulls down the real payload: a Rust-written infostealer. Rust gives the authors a cross-platform build, but the real cleverness is in the next stage.

Hooking PAM for Stealth

Once the Rust infostealer is active, it uses the PAM interface—the same API macOS uses for authentication workflows—to confirm the target's login password before shipping it to an attacker-controlled server. Validating the credential server-side would be noisy. By doing it locally through PAM, PamStealer avoids network calls for password checks and ensures only valid passwords get exfiltrated. That cuts down on false positives and keeps the malware quiet.

The combination of a clipboard-manager decoy, AppleScript loading through Script Editor, and PAM-based password validation makes this a more sophisticated piece of Mac malware than the usual adware or info-stealing scripts floating around. Security teams should pay attention to any unusual PAM module behavior or AppleScript execution patterns on endpoints.

As macOS malware evolves to leverage system authentication hooks like PAM, defenders need to monitor PAM integrity and AppleScript activity more aggressively—because the next variant might not bother masquerading as a clipboard manager.


Source: Newly discovered PamStealer isn't your typical macOS malware
Domain: arstechnica.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

Comments load interactively on the live page.