PamStealer: New macOS Malware Mimics Legitimate App, Exploits PAM for Credential Theft
A sophisticated new information stealer, dubbed **PamStealer**, has emerged, targeting macOS users. Disguised as the popular open-source clipboard manager **Maccy**, this malware employs a multi-stage attack, leveraging AppleScript and Rust to bypass security measures and exfiltrate sensitive data, including system passwords validated via the macOS Pluggable Authentication Modules (**PAM**).
Cybersecurity researchers at **Jamf Threat Labs** have uncovered a novel macOS information stealer named **PamStealer**. This threat distinguishes itself through a series of clever techniques designed to infect systems and siphon sensitive user data.
### Deceptive Distribution and Multi-Stage Attack
**PamStealer** is distributed as a compiled AppleScript (.scpt) file, cunningly impersonating **Maccy**, a legitimate and widely used open-source clipboard manager. The malware's name, **PamStealer**, highlights its ability to validate the victim's login password through the macOS **PAM** framework before capturing it.
The attack unfolds in two distinct stages. Initially, a compiled AppleScript, embedded within a disk image, acts as a downloader for a subsequent payload. This secondary artifact is a Rust-based infostealer, equipped with capabilities for credential theft, browser data collection, establishing persistence, and data exfiltration.
### Initial Access and Execution Bypass
The primary vector for this malware is a deceptive lookalike website, "maccyapp[.]com," which closely mimics the official **Maccy** site, "maccy[.]app." The AppleScript file, "Maccy.scpt," found within the malicious disk image, executes a self-contained JavaScript for Automation (JXA) downloader. This downloader then fetches and stages the stealer payload by leveraging native Objective-C APIs.
Notably, once launched via the Script Editor, the script displays instructions prompting users to run it using the "β + R" keyboard shortcut or by clicking the Run button. This action triggers the execution of malicious logic hidden beneath a large block of empty lines within the file.
According to security researcher **Thijs Xhaflaire**, "Notably, this works even when the file still carries the com.apple.quarantine attribute, which is what makes the approach attractive to attackers as Apple continues to tighten Gatekeeper and Terminal." He adds, "Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers."
### Environment Awareness and Evasion
The AppleScript dropper incorporates sophisticated environment-aware features. It proceeds with execution only after fingerprinting the host and confirming it's running on **Apple Silicon**. This is achieved by deriving a key based on the host's fingerprint, which includes details like CPU architecture, locale, keyboard layout, and time zone. This key is then used to unlock an encrypted configuration containing the payload URL and install path.
On Intel-based Macs, the derived decryption key differs, preventing the configuration from being decoded and terminating the dropper. The script also evades execution within sandboxed or analysis environments, as well as on systems where the time zone, system locale, and keyboard input resolve to countries in Eastern Europe, including Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia.
### Data Harvesting and Persistence
Upon successful environmental checks, the script connects to an external server to download a **Mach-O** binary written in Rust. This binary masquerades as the Finder app and is responsible for harvesting data from various sources, including web browsers, cryptocurrency wallet extensions, **iCloud Keychain**, and clipboard content. The stolen information is then encrypted and exfiltrated to attacker-controlled infrastructure ("avenger-sync[.]live") via an outbound HTTP request.
Beyond coercing users into granting full file system access, the stealer presents a native password prompt to collect the victim's system password. It then validates the entered password using the **PAM** API. If the validation fails, it repeatedly prompts the user for the correct password until it is supplied.
**Jamf** explains, "Once a valid password is captured, the stealer shows a second, counterfeit alert: 'Maccy is damaged and can't be opened. You should move it to the Trash,' a close copy of the genuine Gatekeeper message." They clarify, "This is a decoy. By the time it appears, the payload has already run, captured the password and registered for persistence, so the message serves only to make the victim discard the lure and assume the download was broken."
The Rust binary also contains a small arm64 **Mach-O** that impersonates macOS System Settings, used to establish persistence on the compromised system.
### Developer's Warning and Ongoing Evolution
In response to this development, **Alex Rodionov**, the developer of **Maccy**, has updated their website and GitHub repository to include a prominent warning. Users are urged to avoid fake websites impersonating the tool. Rodionov states, "Beware of fake websites impersonating Maccy. Malicious sites (such as maccyapp[.]net and maccyapp[.]com) distribute malware disguised as Maccy. Maccy[.]app is the only official website."
**Jamf** concludes, "Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features."
