Beware: Fake Mac Clipboard App Caught Stealing Passwords

MIXTV 1
By
3 Min Read
Fake Mac Clipboard App Delivers New Password-Stealing Malware

Loading

New Threats Targeting macOS: The Rise of PamStealer and Sophisticated Social Engineering

Cybersecurity researchers at Jamf Threat Labs have uncovered a sophisticated new threat targeting Apple users: a Rust-based infostealer dubbed “PamStealer.” This malicious software masquerades as the popular open-source clipboard manager, Maccy, and is designed to harvest sensitive data, including login credentials and cryptocurrency wallet keys.

How PamStealer Operates

The infection vector relies on a deceptive website that mimics the legitimate Maccy download page. Once a user downloads the disk image, they are prompted to execute a malicious AppleScript file. To evade detection, the script hides its true intent by instructing users to run the code within Apple’s native Script Editor.

The malware earns its name from its unique authentication mechanism. Before exfiltrating data, it utilizes the macOS Pluggable Authentication Modules (PAM) to verify the victim’s password. By confirming the password is correct, the attackers ensure they are harvesting valid credentials.

Key technical features of this campaign include:
* Stealthy Execution: The malware utilizes JavaScript for Automation and native macOS APIs, bypassing common shell utilities like curl or zsh to remain invisible to standard security monitoring tools.
* Environment-Specific Encryption: The payload is not stored in plain text. Instead, the dropper generates a unique decryption key based on the host’s specific hardware fingerprint-including CPU architecture, time zone, and keyboard layout-ensuring the malware only executes on the intended target.
* Persistence and Exfiltration: Once active, the binary disguises itself as a system process like “Finder” or “Software Update,” allowing it to monitor the clipboard, scrape Keychain data, and transmit stolen information to a remote command-and-control (C2) server.

The “Delayed Prompt” Strategy

A particularly concerning aspect of this malware is its use of social engineering to gain elevated privileges. Roughly 40 minutes after the initial infection, the malware triggers a fake system alert requesting “Full Disk Access.” By delaying this request, the attackers hope the user will have forgotten the initial download, making them more likely to grant the permissions. If successful, this grants the attacker access to highly sensitive areas, including Mail, Messages, and Time Machine backups.

The Evolution of Malicious Advertising

The threat landscape is shifting toward the abuse of trusted advertising platforms. Jamf Threat Labs recently identified a campaign on X (formerly Twitter) involving a sponsored ad for “DynamicLake.” This ad directed users to a malicious site that instructed them to run commands in the Terminal.

“We are seeing attackers move beyond traditional phishing,” noted Jaron Bradley, Director of Jamf Threat Labs. “By purchasing

MIXTV PUSH
LATEST NEWS
Share This Article
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *