All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Security
Security
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter
First reported by Ars Technica
New PamStealer macOS malware uses two-stage delivery and PAM interface to steal credentials

New PamStealer macOS Malware Uses Clever Tradecraft To Remain Stealthy

By

BeauHD

Source

SlashdotNew PamStealer macOS Malware Uses Clever Tradecraft To Remain Stealthyslashdot.org
Snippet from the RSS feed
An anonymous reader quotes a report from Ars Technica: Researchers have found a never-before-seen piece of macOS malware that combines a series of clever tradecraft to infect Macs with stealthy, custom-developed credential-stealing code. The malware is delivered in two stages. The first is distributed in a disk image that masquerades as Maccy, a clipboard manager for Macs. It's compiled as AppleScript that is notable for the way it delivers the second stage. The malware is named PamStealer because the Rust-written infostealer uses the Pluggable Authentication Modules interface built into macOS to validate the target's login password before sending it to an attacker-controlled server. [...] PamStealer shows a native password prompt designed to resemble a system authorization request. Text that appears with the prompt says: "Maccy wants to make changes. Enter your password to allow this." As noted earlier, once a target complies, the malware validates it locally through the PAM API. "This check is done entirely through PAM: there is no call out to dscl, security, osascript or any spawned process to verify the password, as many commodity macOS stealers do," [said Jamf, a security firm for macOS users]. "The result is a quieter routine that keeps only a verified password, and one fewer process chain for defenders to detect on." If the validation fails, PamStealer displays the prompts again until it receives the correct one. Once the target enters the correct password, PamStealer displays a message stating that the file is damaged and can't be installed. This is designed to be a decoy to prevent the target from suspecting anything is amiss. The malware uses tactics to maximize the information it can steal. One tactic is to request the target grant full disk access to the fake Maccy app. It also contains code designed to access ethereum accounts. The various techniques -- particularly the Script Editor lure, a self-contained JXA dropper, a Rust-based second stage, and local validation of credentials through PAM are all noteworthy. Read more of this story at Slashdot.

You might also wanna read

New PamStealer macOS malware uses two-stage delivery and PAM interface to steal credentials

Researchers have discovered a new macOS malware called PamStealer that uses sophisticated two-stage delivery to infect Macs with credential-

arstechnica.com·2d ago

New PamStealer macOS malware uses two-stage delivery and PAM interface to steal credentials

Researchers have discovered a new macOS malware called PamStealer that uses sophisticated two-stage delivery to infect Macs with credential-

Ars Technica·2d ago

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

thehackernews.com·1d ago

North Korea-linked macOS backdoor uses prompt injection to poison AI malware analysis tools

SentinelLabs has discovered a North Korea-linked macOS backdoor (tracked as macOS.Gaslight) that uses a novel evasion technique: instead of

infosecurity-magazine.com·8d ago

New macOS privilege-escalation technique allows attackers to bypass enterprise security tools

Researchers at XM Cyber have discovered a novel macOS privilege-escalation technique that allows standard-privilege users to disable enterpr

darkreading.com·9d ago

Stealc 2.0 Malware: How a Modular Infostealer Has Compromised 5,000+ Endpoints in 2026

Stealc 2.0 is an advanced modular infostealer malware operating as a malware-as-a-service (MaaS) operation. It combines features from previo

undercodetesting.com·7d ago

Decoy: Lightweight Native macOS App for Local Mock Service Testing

Decoy is a lightweight native macOS application that enables developers to create local mock services for testing purposes. It allows testin

Product Hunt·3mo ago

Comments

Sign in to join the conversation.

No comments yet. Be the first.