Înapoi la știri

New PamStealer macOS malware uses clever tradecraft to remain stealthy - Ars Technica

1 oră în urmă
8 minute min
Andrei Miroslavescu
LOCAL VALIDATION FOR STOLEN PASSWORDS Newly discovered PamStealer isn’t your typical macOS malware The discovery underscores the increased effort being poured into Mac infostealers. 37 Text settings Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Minimize to nav Researchers have found a never-before-seen piece of macOS malware that combines a series of clever tradecraft to infect Macs with stealthy, custom-developed credential-stealing code. The malware is delivered in two stages. The first is distributed in a disk image that masquerades as Maccy, a clipboard manager for Macs. It’s compiled as AppleScript that is notable for the way it delivers the second stage. The malware is named PamStealer because the Rust-written infostealer uses the Pluggable Authentication Modules interface built into macOS to validate the target’s login password before sending it to an attacker-controlled server. The use of both disk image and AppleScript is common in malware for Macs. More unusual is the way PamStealer combines them to gain stealth. When the AppleScript is double-clicked, it’s opened in the macOS Script Editor, where the malicious functionality is buried deep within the file. “Rather than relying on shell commands such as curl or zsh, the AppleScript executes a self-contained JavaScript for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs,” researchers from Jamf, a security firm for macOS users, wrote. “Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers.” When a user, expecting to install a trustworthy clipboard manager, encounters the disk image, they’re prompted to press Command-R immediately after double-clicking it. This command executes malicious code inside the AppleScript directly. It also allows the execution to bypass com.apple.quarantine, a macOS attribute that provides warnings and restrictions when executable files have been downloaded from the Internet. PamStealer combines a recently emerging delivery surface with a less familiar payload. While the clickable .scpt and Script Editor lure build on tradecraft that is already gaining adoption across the macOS threat landscape, the malware distinguishes itself through a self-contained JXA dropper, a Rust-based second stage, and a password capture workflow that validates credentials locally through PAM before harvesting them. That second stage puts considerable effort into staying hidden, masquerading as Finder, encrypting its command-and-control traffic, and holding back prompts like the Full Disk Access request for as long as forty minutes so its activity does not line up with launch. Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features. The first stage puts its payload inside an app bundle that impersonates real components built into macOS. The component changes from sample to sample of the malware. Finder.app under com.apple.finder.core or com.apple.finder.monitor, and a Software Update.app under com.apple.security.daemon, are two examples. In either case, they run hidden. They also display macOS’s genuine Finder.icns as its icon. The second stage is a lean Mach-O file written for Macs running on Apple CPUs. The attacker’s choice to write it in Rust is relatively uncommon for macOS infostealers. More common are languages such as Swift, Go, and Objective-C. This binary calls the read interface of a bundled SQLite app. This allows the infostealer to read database files directly. PamStealer shows a native password prompt designed to resemble a system authorization request. Text that appears with the prompt says: “Maccy wants to make changes. Enter your password to allow this.” As noted earlier, once a target complies, the malware validates it locally through the PAM API. “This check is done entirely through PAM: there is no call out to dscl, security, osascript or any spawned process to verify the password, as many commodity macOS stealers do,” Jamf said. “The result is a quieter routine that keeps only a verified password, and one fewer process chain for defenders to detect on.” If the validation fails, PamStealer displays the prompts again until it receives the correct one. Once the target enters the correct password, PamStealer displays a message stating that the file is damaged and can’t be installed. This is designed to be a decoy to prevent the target from suspecting anything is amiss. The malware uses tactics to maximize the information it can steal. One tactic is to request the target grant full disk access to the fake Maccy app. It also contains code designed to access ethereum accounts. The various techniques—particularly the Script Editor lure, a self-contained JXA dropper, a Rust-based second stage, and local validation of credentials through PAM are all noteworthy. “Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features,” Jamf said.
Alte postari din Tech
Tech

35+ of the best Prime Day tech deals, according to a tech editor on a budget - Mashable

The best Prime Day tech deals: Day two Best overall Bose QuietComfort Noise-Cancelling Headphones $179.99 at Amazon (save $179.01) Get Deal Best Kindle deal Amazon Kindle Paperwhite $124.99 at Amazon (save $35) Get Deal Best Deal Under $25 Blink Mini Camera $9.99 at Amazon (save $15) Get Deal Best Apple laptop deal so far Apple MacBook Air, 13 inches (M5, 16GB RAM, 512GB SSD) $949 at Amazon (save $150) Get Deal Best speaker deal Bose Soundlink Flex Bluetooth Speaker $99 at Amazon (save $50) Get Deal Best Deal Under $50 Anker Smart Display Charger, 45W $25.99 at Amazon (save $15) Get Deal Best portable power station deal Jackery Explorer v2 Power Station, 1070Wh $399.99 at Amazon (save $399.01) Get Deal Best Samsung TV Deal Samsung The Frame 55-inch QLED Art TV $697.99 at Amazon (save $400) Get Deal Best Apple Watch Deal Apple Watch Series 11 (GPS, 42mm) $279 at Amazon (save $120) Get Deal Best Memory Deal SanDisk Portable SSD, 1TB $135.99 at Amazon (save $24) Get Deal I'm Mashable's tech editor, and I love my job. I get to test the coolest new tech products before anyone else, and I basically get paid to nerd out over the latest noise-cancelling headphones, smart glasses, and laptops.

Acasa Recente Radio Județe