Ask Runable forDesign-Driven General AI AgentTry Runable For Free
Runable
Back to Blog
Technology6 min read

Newly discovered PamStealer isn't your typical macOS malware - Ars Technica

The discovery underscores the increased effort being poured into Mac infostealers. Discover insights about newly discovered pamstealer isn't your typical macos

TechnologyInnovationBest PracticesGuideTutorial
Newly discovered PamStealer isn't your typical macOS malware - Ars Technica
Listen to Article
0:00
0:00
0:00

Newly discovered Pam Stealer isn't your typical mac OS malware - Ars Technica

Overview

Newly discovered Pam Stealer isn’t your typical mac OS malware

The discovery underscores the increased effort being poured into Mac infostealers.

Details

Researchers have found a never-before-seen piece of mac OS malware that combines a series of clever tradecraft to infect Macs with stealthy, custom-developed credential-stealing code.

The use of both disk image and Apple Script is common in malware for Macs. More unusual is the way Pam Stealer combines them to gain stealth. When the Apple Script is double-clicked, it’s opened in the mac OS Script Editor, where the malicious functionality is buried deep within the file.

“Rather than relying on shell commands such as curl or zsh, the Apple Script executes a self-contained Java Script for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs,” researchers from Jamf, a security firm for mac OS users, wrote. “Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity mac OS stealers.”

When a user, expecting to install a trustworthy clipboard manager, encounters the disk image, they’re prompted to press Command-R immediately after double-clicking it. This command executes malicious code inside the Apple Script directly. It also allows the execution to bypass com.apple.quarantine, a mac OS attribute that provides warnings and restrictions when executable files have been downloaded from the Internet.

Pam Stealer combines a recently emerging delivery surface with a less familiar payload. While the clickable .scpt and Script Editor lure build on tradecraft that is already gaining adoption across the mac OS threat landscape, the malware distinguishes itself through a self-contained JXA dropper, a Rust-based second stage, and a password capture workflow that validates credentials locally through PAM before harvesting them. That second stage puts considerable effort into staying hidden, masquerading as Finder, encrypting its command-and-control traffic, and holding back prompts like the Full Disk Access request for as long as forty minutes so its activity does not line up with launch. Together, these behaviors illustrate how commodity mac OS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard mac OS features.

Pam Stealer combines a recently emerging delivery surface with a less familiar payload. While the clickable .scpt and Script Editor lure build on tradecraft that is already gaining adoption across the mac OS threat landscape, the malware distinguishes itself through a self-contained JXA dropper, a Rust-based second stage, and a password capture workflow that validates credentials locally through PAM before harvesting them. That second stage puts considerable effort into staying hidden, masquerading as Finder, encrypting its command-and-control traffic, and holding back prompts like the Full Disk Access request for as long as forty minutes so its activity does not line up with launch. Together, these behaviors illustrate how commodity mac OS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard mac OS features.

The first stage puts its payload inside an app bundle that impersonates real components built into mac OS. The component changes from sample to sample of the malware. Finder.app under com.apple.finder.core or com.apple.finder.monitor, and a Software Update.app under com.apple.security.daemon, are two examples. In either case, they run hidden. They also display mac OS’s genuine Finder.icns as its icon.

The second stage is a lean Mach-O file written for Macs running on Apple CPUs. The attacker’s choice to write it in Rust is relatively uncommon for mac OS infostealers. More common are languages such as Swift, Go, and Objective-C. This binary calls the read interface of a bundled SQLite app. This allows the infostealer to read database files directly.

Pam Stealer shows a native password prompt designed to resemble a system authorization request. Text that appears with the prompt says: “Maccy wants to make changes. Enter your password to allow this.” As noted earlier, once a target complies, the malware validates it locally through the PAM API.

“This check is done entirely through PAM: there is no call out to dscl, security, osascript or any spawned process to verify the password, as many commodity mac OS stealers do,” Jamf said. “The result is a quieter routine that keeps only a verified password, and one fewer process chain for defenders to detect on.”

If the validation fails, Pam Stealer displays the prompts again until it receives the correct one. Once the target enters the correct password, Pam Stealer displays a message stating that the file is damaged and can’t be installed. This is designed to be a decoy to prevent the target from suspecting anything is amiss.

The malware uses tactics to maximize the information it can steal. One tactic is to request the target grant full disk access to the fake Maccy app. It also contains code designed to access ethereum accounts.

The various techniques—particularly the Script Editor lure, a self-contained JXA dropper, a Rust-based second stage, and local validation of credentials through PAM are all noteworthy.

“Together, these behaviors illustrate how commodity mac OS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard mac OS features,” Jamf said.

  1.          T-Mobile moving tens of thousands of virtual machines off VMware amid lawsuit
    
  2.          US home battery installations hit record high on rising electricity costs
    
  3.          Sony erases digital content from libraries; we're reminded we don’t own what we buy
    
  4.          NASA inspector general suggests Boeing's Starliner will now be a decade late
    
  5.          Sony announces end of Play Station discs, parts of digital store in the same day
    

Ars Technica has been separating the signal from the noise for over 25 years. With our unique combination of technical savvy and wide-ranging interest in the technological arts and sciences, Ars is the trusted source in a sea of information. After all, you don’t need to know everything, only what’s important.

Key Takeaways

  • Newly discovered Pam Stealer isn’t your typical mac OS malware

  • The discovery underscores the increased effort being poured into Mac infostealers

  • Researchers have found a never-before-seen piece of mac OS malware that combines a series of clever tradecraft to infect Macs with stealthy, custom-developed credential-stealing code

  • The use of both disk image and Apple Script is common in malware for Macs

  • “Rather than relying on shell commands such as curl or zsh, the Apple Script executes a self-contained Java Script for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs,” researchers from Jamf, a security firm for mac OS users, wrote

Cut Costs with Runable

Cost savings are based on average monthly price per user for each app.

Which apps do you use?

Apps to replace

ChatGPTChatGPT
$20 / month
LovableLovable
$25 / month
Gamma AIGamma AI
$25 / month
HiggsFieldHiggsField
$49 / month
Leonardo AILeonardo AI
$12 / month
TOTAL$131 / month

Runable price = $9 / month

Saves $122 / month

Runable can save upto $1464 per year compared to the non-enterprise price of your apps.