PamStealer Targets Mac Users via Fake Maccy App
A new macOS malware named PamStealer steals login credentials by mimicking the popular Maccy clipboard tool. Security teams should monitor for unusual AppleScript executions and unauthorized PAM access.
TL;DR
- New macOS malware 'PamStealer' disguises itself as the open-source app Maccy.
- It's distributed as a malicious AppleScript file to steal login passwords.
- The malware abuses PAM checks to escalate privileges and extract credentials.
- Security researchers recommend monitoring for suspicious .scpt files and anomalous system access.
- Organizations using Mac endpoints should update detection rules and user awareness programs.
Cybercriminals continue to evolve their tactics on macOS, with a new information stealer called PamStealer now targeting users through social engineering and system-level exploitation. Disguised as the legitimate open-source utility Maccy, this malware leverages AppleScript to gain initial access and then escalates privileges to extract sensitive authentication data.
Once executed, PamStealer performs reconnaissance activities before attempting to access Protected Access Management (PAM) modules, which are used by macOS for authentication processes. This allows it to capture login credentials without triggering traditional antivirus alerts, making it particularly dangerous for both individual users and enterprise environments.
Infection Vector and Initial Compromise
- PamStealer is distributed as a compiled AppleScript (.scpt) file伪装成流行的开源剪贴板管理器Maccy。
- 用户被诱导从仿冒网站下载恶意脚本,这些网站模仿真实的Maccy项目页面。
- 该脚本在执行时不会立即触发明显的恶意行为,以规避基本的安全检测机制。
Credential Theft and Defense Recommendations
- 恶意软件通过滥用macOS中的PAM(可插拔认证模块)检查来窃取用户的登录凭据。
- 它会尝试读取系统认证日志并提取敏感的凭证信息用于后续攻击。
- 建议安全团队监控异常的AppleScript活动和对/etc/pam.d/目录的未授权访问。
- 终端用户应避免从未知来源安装应用程序,并验证下载链接的真实性。
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.