AI News AI资讯 8d ago Updated 7d ago 更新于 7天前 46

Newly discovered PamStealer isn't your typical macOS malware 新发现的PamStealer并非典型的macOS恶意软件

Researchers identified PamStealer, a novel macOS credential stealer disguised as the legitimate clipboard manager Maccy. The malware employs a sophisticated two-stage delivery using AppleScript and JavaScript for Automation (JXA) to bypass macOS quarantine protections. It utilizes a Rust-based second stage that leverages the Pluggable Authentication Modules (PAM) interface for local password validation, avoiding suspicious external process calls. The infostealer exhibits stealthy behaviors, incl 研究人员发现新型macOS恶意软件PamStealer,伪装成剪贴板管理器Maccy,利用AppleScript和磁盘镜像进行两阶段投递。 第二阶段使用Rust编写,通过macOS原生PAM接口本地验证用户密码,避免调用外部进程以降低检测风险。 恶意软件采用隐蔽执行链,包括绕过隔离属性、伪装系统组件图标及延迟请求权限,以规避传统安全监控。 该恶意软件旨在窃取凭证及以太坊账户信息,展示了macOS窃密工具向更安静、原生化方向演变的趋势。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Researchers identified PamStealer, a novel macOS credential stealer disguised as the legitimate clipboard manager Maccy.
  • The malware employs a sophisticated two-stage delivery using AppleScript and JavaScript for Automation (JXA) to bypass macOS quarantine protections.
  • It utilizes a Rust-based second stage that leverages the Pluggable Authentication Modules (PAM) interface for local password validation, avoiding suspicious external process calls.
  • The infostealer exhibits stealthy behaviors, including masquerading as system processes like Finder, encrypting C2 traffic, and delaying permission requests to evade detection.

Why It Matters

This discovery highlights a significant evolution in macOS malware tradecraft, moving away from noisy, script-heavy attacks toward quieter, native implementations that blend seamlessly with legitimate system operations. For security practitioners, it underscores the increasing difficulty of detecting credential theft using traditional monitoring tools, necessitating deeper inspection of native API usage and behavioral anomalies rather than just signature-based detection.

Technical Details

  • Delivery Mechanism: Distributed via a disk image mimicking Maccy; execution is triggered by pressing Command-R in Script Editor, which bypasses com.apple.quarantine attributes.
  • Execution Chain: The first stage uses a self-contained JXA downloader to fetch the payload via native Objective-C APIs, avoiding shell commands like curl or zsh.
  • Second Stage Architecture: Written in Rust (uncommon for macOS stealers), producing a lean Mach-O binary that interacts directly with SQLite databases to harvest credentials.
  • Credential Harvesting: Validates passwords locally through the PAM API without spawning auxiliary processes (e.g., dscl, security), significantly reducing the process chain footprint.
  • Evasion Tactics: Masquerades as Finder.app or Software Update.app, uses genuine icons, encrypts command-and-control traffic, and delays Full Disk Access prompts by up to forty minutes.

Industry Insight

  • Shift to Native Implementations: Attackers are increasingly adopting languages like Rust and leveraging native OS interfaces (like PAM) to create more efficient and harder-to-detect malware, requiring defenders to update heuristic models.
  • Social Engineering Evolution: The use of familiar applications (Maccy) combined with specific keyboard shortcuts (Command-R) demonstrates a refined social engineering approach that exploits user trust and procedural familiarity.
  • Detection Strategy Adjustment: Security teams should prioritize monitoring for unusual native API calls and process behaviors that deviate from standard application workflows, rather than relying solely on network-based indicators or known malicious binaries.

TL;DR

  • 研究人员发现新型macOS恶意软件PamStealer,伪装成剪贴板管理器Maccy,利用AppleScript和磁盘镜像进行两阶段投递。
  • 第二阶段使用Rust编写,通过macOS原生PAM接口本地验证用户密码,避免调用外部进程以降低检测风险。
  • 恶意软件采用隐蔽执行链,包括绕过隔离属性、伪装系统组件图标及延迟请求权限,以规避传统安全监控。
  • 该恶意软件旨在窃取凭证及以太坊账户信息,展示了macOS窃密工具向更安静、原生化方向演变的趋势。

为什么值得看

这篇文章揭示了macOS恶意软件在隐蔽性和原生API利用方面的最新进化,特别是通过PAM接口本地验证密码的技术,这对现有的基于进程监控的安全防御提出了新挑战。对于安全从业者和macOS用户而言,理解这种“安静”的执行链有助于优化检测规则并提高对新型社会工程学攻击的警惕性。

技术解析

  • 两阶段投递与伪装:第一阶段通过伪装成Maccy的磁盘镜像分发,内含AppleScript。用户双击后需按Command-R触发恶意代码,此举可绕过com.apple.quarantine隔离属性。脚本使用JavaScript for Automation (JXA)下载器,通过原生Objective-C API获取第二阶段载荷,而非传统的shell命令如curl或zsh。
  • Rust编写的第二阶段载荷:第二阶段是一个针对Apple CPU优化的Mach-O文件,使用相对少见的Rust语言编写。该载荷会伪装成Finder或Software Update等系统组件,使用真实图标隐藏自身,并通过加密通道与C2服务器通信。它还包含SQLite读取接口,可直接访问数据库文件。
  • PAM本地凭证验证:PamStealer的核心创新在于利用Pluggable Authentication Modules (PAM)接口在本地验证用户输入的登录密码。不同于其他窃密软件调用dsclsecurityosascript等外部进程,PAM验证过程完全在内部完成,减少了进程链痕迹,使检测更加困难。
  • 社会工程学与反检测策略:恶意软件显示伪造的系统授权提示框,若密码验证失败则重复提示,成功后则显示“文件损坏”的欺骗性消息。此外,它会请求“完全磁盘访问”权限,并故意延迟此类权限请求长达40分钟,以避免与启动行为产生关联,从而混淆安全分析。

行业启示

  • 防御体系需转向原生API监控:由于恶意软件越来越多地利用macOS原生接口(如PAM、JXA)进行隐蔽操作,传统依赖监控外部进程或网络调用的安全方案可能失效。安全厂商应加强对原生API异常调用的检测和审计能力。
  • 警惕新型社会工程学载体:攻击者正结合脚本编辑器诱饵和特定的键盘快捷键(如Command-R)来绕过用户直觉和安全机制。企业和用户教育应重点关注此类非传统安装流程的欺诈行为,强调对未知来源脚本文件的谨慎处理。
  • macOS生态安全态势升级:随着Rust等高性能语言在恶意软件中的出现以及更复杂的隐蔽技术,macOS不再是安全的避风港。安全团队需要更新威胁情报库,针对这类“安静”且高度定制化的窃密工具建立专门的检测规则和响应预案。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Research 科学研究