Shopping

New PamStealer Mac malware poses as a clipboard manager to steal your login info — how to stay safe

New PamStealer Mac malware poses as a clipboard manager to steal your login info — how to stay safe
Image: tomsguide.com

Security researchers who focus on Apple devices have discovered a new macOS malware that appears to be surprisingly clever while it harvests data and login credentials.

According to the IT firm Jamf (via ArsTechnica), the new malware, dubbed PamStealer, can get on your Mac in two stages. First, it disguises itself as Maccy, a clipboard manager.

Apparently, PamStealer is compiled as AppleScript written in Rust that uses the Pluggable Authentication Modules interface that is built into macOS to target the device's login password, which is then sent to an attacker-controlled server.

What makes PamStealer unique is that it combines AppleScript and disk images to stealthily enter your computer. When you click the AppleScript, it opens the macOS Script Editor where the malware is buried in the file.

"Rather than relying on shell commands such as curl or zsh, the AppleScript executes a self-contained JavaScript for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs," the Jamf team wrote. "Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers."

How PamStealer works

opened padlock in front of Apple logo

(Image credit: Shutterstock)

When someone installs the false Maccy and opens the disk image, they're prompted to enter Command-R immediately. Doing so executes the malicious code inside AppleScript. This allows it to bypass com.apple.quarantine, a normal macOS feature that offers warnings and restrictions when you're opening executable files from the internet.

The second stage is a Mach-O file specifically written for Macs running Apple M-series CPUs. Rust is apparently an uncommon code for macOS infostealers. This bundles SQLite and calls it read interface, meaning it opens and reads databases files directly.

PamStealer will pop up a native password prompt that is meant to resemble a system authorization request. It reads, "“Maccy wants to make changes. Enter your password to allow this.”

Once a password is entered, it's validated through the PAM API, meaning its harder for malware defenders to detect. Additionally, it can either give a malicious actor full disk access or inject code designed to access Ethereum accounts.

“Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features,” Jamf said.

How to stay safe from PamStealer

MacBook Pro M5

(Image credit: Tom's Guide)

First and foremost, Maccy is a real, legitimate app that is quite popular. If you are interested in checking the app, the only real website is maccy.app.

Jamf found the fake Maccy was being hosted at maccyapp.com, a site you should not visit.

Secondly, it's a good reminder to double and triple-check website URLs. Specifically for macOS apps, you can also see if the app in question is available in the Apple App Store. Maccy, for instance, is in the App Store.

Apple is still a pretty closed garden so if you're looking for something and want to be sure it's real, I would recommend starting there before venturing into the hinterlands of the internet.

Beyond that, your Mac does come with built-in security software in the form of XProtect. But if you need some extra protection, it might be worth investing in one of the best Mac antivirus software solutions to run alongside it.

More from Tom's Guide

This is a preview from the original publisher. Continue reading at the source:

Read Full Article on tomsguide.com →

More News