Researchers have found a never-before-seen piece of macOS malware that combines a number of clever techniques to infect Macs with stealthy, custom-developed credential-stealing code.
The malware is delivered in two stages. The first is distributed in a disk image that masquerades as Macya clipboard manager for Mac. It is compiled as AppleScript and stands out for the way it delivers the second stage. The malware is called PamStealer because the information stealer written in Rust uses the pluggable authentication modules interface built into macOS to validate the target’s login password before sending it to a server controlled by the attacker.
A quieter execution chain
The use of both disk image and AppleScript is common in Mac malware. More unusual is the way PamStealer combines them to gain stealth. When AppleScript is double-clicked, it opens in the macOS Script Editor, where the malicious functionality is hidden deep in the file.
Read full article
Comments
