PamStealer macOS malware uses PAM checks to steal passwords
Jamf says the newly identified stealer hides behind a fake Maccy installer and verifies victims’ Mac passwords locally before sending them out.
By James Whitfield · Staff Writer
3 min read
Security researchers at Jamf have identified a previously unreported macOS credential stealer that uses Apple’s own Pluggable Authentication Modules interface to confirm a victim’s login password before exfiltrating it. The malware, which Jamf calls PamStealer, shows how Mac-focused stealers are adopting quieter delivery and validation methods that can leave fewer obvious traces for defenders.
According to Jamf, PamStealer arrives in two stages. The first stage is distributed as a disk image posing as Maccy, a legitimate clipboard manager for macOS, and relies on an AppleScript file that delivers a second-stage infostealer written in Rust.
Jamf said the lure asks users to press Command-R after opening the AppleScript in macOS Script Editor. That action runs malicious code embedded in the script and can bypass the com.apple.quarantine attribute, which macOS uses to apply warnings and limits to files downloaded from the internet.
How the infection chain hides
AppleScript and disk images are common in Mac malware, Jamf said, but PamStealer combines them with less common steps. Instead of using shell tools such as curl or zsh to fetch the next payload, the first stage runs a JavaScript for Automation downloader that uses native Objective-C APIs to retrieve and prepare the malware.
The first stage places its payload inside an app bundle that imitates real macOS components, according to Jamf. Samples observed by the company used names such as Finder.app under com.apple.finder.core or com.apple.finder.monitor, and Software Update.app under com.apple.security.daemon. Jamf said those components run hidden and use Apple’s real Finder.icns icon.
The second stage is a compact Mach-O binary built for Macs with Apple silicon, Jamf reported. The researchers said Rust remains less common for macOS infostealers than Swift, Go or Objective-C. The binary also calls the read interface of a bundled SQLite app, allowing it to read database files directly, according to Jamf.
Password prompt and data theft
PamStealer presents a native-looking password prompt that resembles a system authorization request. Jamf said the prompt text reads: “Maccy wants to make changes. Enter your password to allow this.”
After a user enters a password, PamStealer checks it locally through macOS PAM, Jamf said. The company reported that the malware does not spawn common verification tools such as dscl, security or osascript for that step, which reduces the process activity defenders might otherwise spot.
If the password is wrong, Jamf said, the malware keeps asking until the user enters the correct one. Once validation succeeds, PamStealer displays a fake error message saying the file is damaged and cannot be installed, a decoy Jamf said is meant to lower suspicion.
Jamf also found code meant to broaden what the malware can steal. The researchers said PamStealer can request Full Disk Access for the fake Maccy app, delay that prompt for as long as 40 minutes so it does not clearly coincide with launch, encrypt command-and-control traffic and include logic aimed at Ethereum accounts.
Jamf described the combination of a Script Editor lure, a self-contained JXA dropper, a Rust payload and PAM-based password validation as notable. The company said those choices show Mac stealers continuing to use native macOS features in ways that reduce common detection opportunities.
This story draws on original reporting from Ars Technica.