In recent months, cybersecurity researchers have identified a new strain of macOS malware that showcases an intricate and sophisticated approach to infiltrating Mac systems. Dubbed PamStealer, this malware leverages clever tradecraft to deploy custom-developed credential-stealing code, making it a notable threat to macOS users.
The Two-Stage Delivery Mechanism
PamStealer is delivered in a two-stage process, enhancing its stealth while effectively compromising target systems. Initially, the malware is packaged within a disk image that impersonates a legitimate application known as Maccy, a clipboard manager for macOS users. This initial stage is compiled as AppleScript, which is crucial in how it facilitates the subsequent stage of the attack.
The unique aspect of PamStealer lies in its use of a Rust-written infostealer that interfaces with the Pluggable Authentication Modules (PAM) built into macOS. This design allows it to validate the user’s login password before transmitting the information to a server controlled by attackers.
A Quieter Execution Chain
Although utilizing disk images and AppleScript is relatively common among Mac malware, PamStealer distinguishes itself by combining these elements in an unusual manner to maintain stealth. Upon double-clicking the AppleScript, users unwittingly open the macOS Script Editor, where the malicious components exist buried within the file.
As researchers from Jamf, a prominent macOS security firm, explain:
“Rather than relying on shell commands such as curl or zsh, the AppleScript executes a self-contained JavaScript for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs. Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers.”
Upon interacting with the disk image, users are prompted to press Command-R immediately after double-clicking. This command triggers the execution of malicious code directly from the AppleScript, successfully bypassing the com.apple.quarantine attribute designed to provide alerts for files downloaded from the Internet.
The Evolving Nature of Mac Malware
Jamf’s analysis highlights how PamStealer effectively combines emerging delivery techniques with a less familiar payload. The malware variant employs a self-contained JXA dropper along with a Rust-based second stage and a password capture workflow, carefully validating credentials before harvesting them. This second stage is adept at remaining hidden, often masquerading as Finder, encrypting command-and-control traffic, and delaying prompts for Full Disk Access for up to forty minutes, ensuring that its activities do not correlate with its launch time.
The initial stage of the malware cleverly embeds its payload within an application bundle that mimics real components within macOS. This tactic varies from sample to sample, utilizing aliases such as Finder.app under com.apple.finder.core or com.apple.finder.monitor, and even a Software Update.app under com.apple.security.daemon. These disguised components run silently while displaying macOS’s genuine Finder.icns icon, further obfuscating their malicious intent.
This evolving nature of macOS malware, particularly with PamStealer, illustrates a concerning trend within the cybersecurity landscape, where attackers increasingly adopt stealthy execution chains and native implementations that diminish traditional detection opportunities. As cybersecurity threats continue to evolve, it is essential for macOS users to remain vigilant and aware of potential risks.
To learn more about PamStealer and its implications for macOS security, click here.
Image Credit: arstechnica.com






