PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords
PamStealer is a sophisticated macOS information stealer discovered by Jamf Threat Labs that uses a fake Maccy clipboard manager site to distribute malware disguised as a legitimate AppleScript. The malware employs a two-stage attack: an initial AppleScript dropper performs environment fingerprinting (checking for Apple Silicon, specific locales, and non-sandboxed environments) to decrypt and download a Rust-based payload. The core stealer utilizes macOS Pluggable Authentication Modules (PAM) to
Analysis
TL;DR
- PamStealer is a sophisticated macOS information stealer discovered by Jamf Threat Labs that uses a fake Maccy clipboard manager site to distribute malware disguised as a legitimate AppleScript.
- The malware employs a two-stage attack: an initial AppleScript dropper performs environment fingerprinting (checking for Apple Silicon, specific locales, and non-sandboxed environments) to decrypt and download a Rust-based payload.
- The core stealer utilizes macOS Pluggable Authentication Modules (PAM) to validate stolen login passwords locally, ensuring only correct credentials are exfiltrated along with browser data, crypto wallets, and iCloud Keychain info.
- To evade detection and user suspicion, the malware displays a counterfeit Gatekeeper error message ("damaged and can't be opened") after successfully capturing credentials, tricking victims into discarding the malicious file.
Why It Matters
This threat highlights a significant shift in macOS malware tactics toward "quiet" execution chains that leverage native OS features like PAM and AppleScript to bypass traditional security controls and user awareness. For security practitioners, it underscores the critical importance of verifying software sources beyond domain names, as attackers are increasingly using lookalike domains and native scripting languages to evade Gatekeeper and Terminal warnings.
Technical Details
- Delivery Mechanism: Distributed via a fake website (maccyapp.com) hosting a disk image containing a compiled AppleScript (.scpt) named Maccy.scpt, which acts as a JXA downloader.
- Environment Fingerprinting: The dropper checks for Apple Silicon architecture, excludes Eastern European locales, and detects sandboxes; it derives a decryption key from system attributes (CPU, locale, timezone) to unlock the payload configuration.
- Payload Execution: Downloads a Rust-based Mach-O binary masquerading as the Finder app, which harvests credentials, browser data, and clipboard content, then exfiltrates encrypted data to avenger-sync.live.
- Credential Harvesting: Uses a native password prompt and validates inputs against the PAM API; loops until a valid password is provided, then displays a fake Gatekeeper error to mask the successful infection.
- Persistence: Installs a secondary arm64 Mach-O binary impersonating macOS System Settings to maintain persistence on the infected device.
Industry Insight
- Organizations must update endpoint detection and response (EDR) signatures to recognize PAM-based validation loops and unusual AppleScript behaviors that invoke native Objective-C APIs for downloading payloads.
- Security awareness training should emphasize that legitimate software developers often issue public warnings about lookalike domains, and users should verify official URLs directly rather than relying solely on search engine results or bookmarks.
- Developers of popular open-source tools like Maccy should consider implementing digital code signing verification mechanisms or official distribution channels that are harder to spoof, while users should enable strict application control policies to prevent unauthorized scripts from executing.
Disclaimer: The above content is generated by AI and is for reference only.