RESEARCHERS have discovered a new macOS malware named PamStealer that cleverly combines various techniques to steal credentials stealthily. It is delivered in two stages: first as a disk image masquerading as an application called Maccy, followed by a second stage executed via AppleScript and Rust. This malware validates the user's login password through the Pluggable Authentication Modules (PAM) interface, gathering data from the system without raising alarms.
Key features include using an AppleScript to launch malicious JavaScript, disguising itself as legitimate macOS components, and presenting a system-like password prompt. The malware demonstrates advanced evasion tactics, such as encrypting communication and delaying prompts to avoid detection. Notably, it suppresses warning signals typically associated with downloaded executables on macOS. PamStealer signifies a concerning evolution in macOS malware, employing innovative methods to remain hidden and effective.