Newly discovered PamStealer isn't your typical macOS malware

GettyImages 1299483011
Researchers have found a never-before-seen piece of macOS malware that combines a series of clever tradecraft to infect Macs with secret, custom-developed credential-stealing code.

Malware is distributed in two stages. The first is distributed in a disk image that masquerades as Maccy, a clipboard manager for Mac. It is compiled as AppleScript which is notable for the way it delivers the second stage. The malware is named PamStealer because the Rust-written infostealer uses the Pluggable Authentication Module interface built into macOS to verify the target’s login password before sending it to an attacker-controlled server.

a cool execution series

The use of both disk images and AppleScript is common in malware for Mac. More unusual is the way PamStealer has combined them to achieve stealth. When an AppleScript is double-clicked, it opens in the macOS script editor, where the malicious functionality is hidden deep within the file.

Read full article

notes



<a href

Leave a Comment