AI Security AI安全 7d ago Updated 7d ago 更新于 7天前 35

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords PamStealer 利用伪造的 Maccy 网站和 PAM 检查来窃取 Mac 登录密码

PamStealer is a sophisticated macOS information stealer discovered by Jamf Threat Labs that uses a fake Maccy clipboard manager site to distribute malware disguised as a legitimate AppleScript. The malware employs a two-stage attack: an initial AppleScript dropper performs environment fingerprinting (checking for Apple Silicon, specific locales, and non-sandboxed environments) to decrypt and download a Rust-based payload. The core stealer utilizes macOS Pluggable Authentication Modules (PAM) to PamStealer是一种新型macOS信息窃取者,通过伪装成合法剪贴板管理工具Maccy的AppleScript文件进行分发。 恶意软件利用macOS PAM模块在本地验证用户登录密码,确保证据有效性后窃取数据并建立持久化。 攻击者采用双阶段载荷,第一阶段为环境指纹识别脚本,仅针对Apple Silicon设备执行,规避Intel及沙箱环境。 第二阶段Rust二进制文件伪装成Finder应用,窃取浏览器数据、加密货币钱包及iCloud凭据,并通过HTTP外传。 该恶意软件利用伪造的Gatekeeper警告作为诱饵,诱导受害者删除文件以掩盖后台已完成的持久化操作。

50
Hot 热度
50
Quality 质量
50
Impact 影响力

Analysis 深度分析

TL;DR

  • PamStealer is a sophisticated macOS information stealer discovered by Jamf Threat Labs that uses a fake Maccy clipboard manager site to distribute malware disguised as a legitimate AppleScript.
  • The malware employs a two-stage attack: an initial AppleScript dropper performs environment fingerprinting (checking for Apple Silicon, specific locales, and non-sandboxed environments) to decrypt and download a Rust-based payload.
  • The core stealer utilizes macOS Pluggable Authentication Modules (PAM) to validate stolen login passwords locally, ensuring only correct credentials are exfiltrated along with browser data, crypto wallets, and iCloud Keychain info.
  • To evade detection and user suspicion, the malware displays a counterfeit Gatekeeper error message ("damaged and can't be opened") after successfully capturing credentials, tricking victims into discarding the malicious file.

Why It Matters

This threat highlights a significant shift in macOS malware tactics toward "quiet" execution chains that leverage native OS features like PAM and AppleScript to bypass traditional security controls and user awareness. For security practitioners, it underscores the critical importance of verifying software sources beyond domain names, as attackers are increasingly using lookalike domains and native scripting languages to evade Gatekeeper and Terminal warnings.

Technical Details

  • Delivery Mechanism: Distributed via a fake website (maccyapp.com) hosting a disk image containing a compiled AppleScript (.scpt) named Maccy.scpt, which acts as a JXA downloader.
  • Environment Fingerprinting: The dropper checks for Apple Silicon architecture, excludes Eastern European locales, and detects sandboxes; it derives a decryption key from system attributes (CPU, locale, timezone) to unlock the payload configuration.
  • Payload Execution: Downloads a Rust-based Mach-O binary masquerading as the Finder app, which harvests credentials, browser data, and clipboard content, then exfiltrates encrypted data to avenger-sync.live.
  • Credential Harvesting: Uses a native password prompt and validates inputs against the PAM API; loops until a valid password is provided, then displays a fake Gatekeeper error to mask the successful infection.
  • Persistence: Installs a secondary arm64 Mach-O binary impersonating macOS System Settings to maintain persistence on the infected device.

Industry Insight

  • Organizations must update endpoint detection and response (EDR) signatures to recognize PAM-based validation loops and unusual AppleScript behaviors that invoke native Objective-C APIs for downloading payloads.
  • Security awareness training should emphasize that legitimate software developers often issue public warnings about lookalike domains, and users should verify official URLs directly rather than relying solely on search engine results or bookmarks.
  • Developers of popular open-source tools like Maccy should consider implementing digital code signing verification mechanisms or official distribution channels that are harder to spoof, while users should enable strict application control policies to prevent unauthorized scripts from executing.

TL;DR

  • PamStealer是一种新型macOS信息窃取者,通过伪装成合法剪贴板管理工具Maccy的AppleScript文件进行分发。
  • 恶意软件利用macOS PAM模块在本地验证用户登录密码,确保证据有效性后窃取数据并建立持久化。
  • 攻击者采用双阶段载荷,第一阶段为环境指纹识别脚本,仅针对Apple Silicon设备执行,规避Intel及沙箱环境。
  • 第二阶段Rust二进制文件伪装成Finder应用,窃取浏览器数据、加密货币钱包及iCloud凭据,并通过HTTP外传。
  • 该恶意软件利用伪造的Gatekeeper警告作为诱饵,诱导受害者删除文件以掩盖后台已完成的持久化操作。

为什么值得看

PamStealer展示了macOS恶意软件向“静默执行”和原生技术滥用演进的显著趋势,特别是利用PAM进行本地密码验证而非简单明文抓取,提高了检测难度。对于安全从业者和企业IT管理员而言,此案例揭示了针对开发者工具和常用软件的仿冒攻击的新手法,强调了监控非标准AppleScript执行及异常网络外联的重要性。

技术解析

  • 初始访问与分发:攻击者托管仿冒网站(如maccyapp.com),提供包含编译AppleScript (.scpt) 的磁盘镜像。脚本利用JavaScript for Automation (JXA) 下载第二阶段载荷,并利用com.apple.quarantine属性绕过部分Gatekeeper限制。
  • 环境指纹与反分析:初始脚本包含严格的执行条件检查,仅当检测到Apple Silicon架构时才会解密并运行后续载荷。同时,脚本会排除Intel Mac、沙箱环境以及特定东欧国家(如俄罗斯、白俄罗斯等)的系统,以减少暴露风险。
  • 密码窃取机制:Rust编写的第二阶段载荷伪装成Finder,通过调用macOS Pluggable Authentication Modules (PAM) API本地验证用户输入的密码。若验证失败则循环提示,直到获取正确凭据,这种方式比传统键盘记录更难被常规安全软件察觉。
  • 数据收集与持久化:窃取范围涵盖浏览器数据、加密货币钱包扩展、iCloud Keychain及剪贴板内容。持久化通过伪装成System Settings的小型arm64 Mach-O二进制文件实现,最终将加密数据发送至攻击者控制的服务器(avenger-sync.live)。
  • 社会工程学防御:在数据窃取完成后,恶意软件显示伪造的Gatekeeper错误消息(“Maccy已损坏...”),误导用户认为安装失败并手动删除文件,从而清除表面痕迹,而恶意进程已在后台完成驻留。

行业启示

  • 警惕原生API滥用:攻击者正越来越多地利用macOS原生功能(如PAM、AppleScript、JXA)来执行恶意行为,传统的基于特征码的检测可能失效,需加强对系统级API调用的行为监控。
  • 软件供应链与仿冒威胁:针对知名开源工具(如Maccy)的仿冒网站和恶意分发渠道是高风险入口,企业和用户应严格验证官方来源,安全厂商需及时更新对仿冒域名和文件的威胁情报。
  • 强化终端检测响应(EDR):鉴于PamStealer具备环境感知和反分析能力,建议部署具备行为分析能力的EDR解决方案,重点关注异常的脚本执行、非预期的网络外联以及伪装成系统进程的恶意活动。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。