HeadlinesBriefing favicon HeadlinesBriefing.com

Pam Stealer Malware Evades macOS Security with Clever Tricks

Ars Technica •
×

Researchers have identified a new macOS malware dubbed Pam Stealer, which employs sophisticated techniques to steal user credentials stealthily. This infostealer operates in two stages, beginning with a disk image disguised as a popular clipboard manager. The initial Apple Script cleverly bypasses macOS security features like com.apple.quarantine.

Pam Stealer distinguishes itself by using a JavaScript for Automation (JXA) downloader that leverages native Objective-C APIs, avoiding common shell commands. The second stage, written in Rust, utilizes macOS's Pluggable Authentication Modules (PAM) to validate login passwords locally before exfiltrating them. This process is designed for quiet execution, unlike typical commodity Mac stealers.

The malware further conceals its activity by masquerading as legitimate macOS components like Finder or Software Update. It delays intrusive prompts, such as Full Disk Access requests, for up to forty minutes, attempting to obscure its malicious actions. This discovery highlights the escalating sophistication of Mac-focused malware threats.