简而言之
Jamf 威胁实验室发现了一个新的基于 Rust 的 macOS 信息窃取程序,冒充 Maccy 剪贴板管理器。
该恶意软件在窃取受害者密码之前会通过 macOS PAM 验证其密码。
研究人员还发现 ClickFix 风格的恶意软件是通过赞助商传播的
据网络安全公司 Jamf Threat Labs 称,搜索开源剪贴板管理器 Maccy 的 Mac 用户正成为该应用程序假冒版本的目标,该应用程序安装了一个名为 PamStealer 的新的基于 Rust 的信息窃取程序。如果成功,恶意软件可以窃取用户的密码和加密钱包密钥。
Jamf Threat Labs 在周四发布的一份报告中表示,该活动使用一个相似的网站来分发包含名为 Maccy.scpt 的恶意 AppleScript 文件的磁盘映像。打开后,该文件会显示说明,告诉用户在 Apple 的脚本编辑器中运行该文件,同时将恶意代码隐藏在文档的下方。
Jamf 威胁实验室写道:“我们正在以 PamStealer 的名义跟踪该恶意软件,因为它的核心行为之一是:在获取受害者的登录密码之前通过 macOS 可插入身份验证模块 (PAM) 验证受害者的登录密码。”
从那里,恶意软件使用JavaScript进行自动化和本机macOS API来下载第二阶段的有效负载,而不依赖于常见的shell实用程序(例如curl或zsh),从而减少了安全工具可以观察到的进程数量。
Jamf 威胁实验室总监 Jaron Bradley 告诉 Decrypt:“对于许多窃取者,我们看到攻击者购买 Google 广告空间来引诱用户使用恶意应用程序。我们最近观察到 X 上也托管了恶意广告。” “这些社会工程技术已被证明非常成功。”
据报道,第二阶段是一个基于 Rust 的二进制文件,专为 Apple Silicon Mac 设计,伪装成 Finder 或 Software Update。
该公司表示:“该植入程序不是以明文形式存储其配置,而是从主机的指纹中获取密钥(包括其 CPU 架构、区域设置、键盘布局和时区),并使用它来解锁包含有效负载 URL 和安装路径的加密的、经过完整性检查的配置。”
安装后,该恶意软件可以窃取浏览器凭据和钥匙串数据、监视剪贴板内容、建立持久性,并使用加密通信将窃取的信息发送到远程命令和控制服务器。如果它无法验证它是否正在其预期目标上运行,那么它会悄悄地关闭自己。
该恶意软件还尝试通过显示虚假的 Finder 警报来扩展其访问权限,要求用户授予完全磁盘访问权限。该提示可能会在感染后最多 40 分钟内出现,从而使用户不太可能将其与原始下载关联起来。如果获得批准,恶意软件可以访问受保护的数据,包括邮件、消息和时间机器备份。
Bradley 表示,Jamf 尚未观察到任何 PamStealer 在野外活跃的证据;然而,该公司将其调查结果通知了苹果。苹果没有立即回应 Decrypt 的置评请求。
Jamf 表示,类似的社交工程技术正在蔓延到其他平台。
在上周的 X 帖子中,该公司表示正在调查一项赞助
“该
调查结果发布之际,攻击者越来越多地将恶意软件伪装成合法软件,并滥用受信任的开发者平台和广告渠道。最近的活动包括一个虚假的 OpenAI 存储库,该存储库在分发基于 Rust 的信息窃取程序之前已登上 Hugging Face 热门项目的榜首;GitHub 表示,该恶意 Visual Studio Code 扩展暴露了大约 3,800 个内部存储库;以及针对 OpenAI 和 Mistral AI 等人工智能公司使用的开发工具的 Shai-Hulud 软件供应链活动。
以及原创专题、播客、视频等开始。
In brief
Jamf Threat Labs identified a new Rust-based macOS infostealer posing as the Maccy clipboard manager.
The malware validates victims' passwords through macOS PAM before stealing them.
Researchers also spotted ClickFix-style malware delivered through a sponsored
Mac users searching for the open-source clipboard manager Maccy are being targeted by a fake version of the app that installs a new Rust-based infostealer dubbed PamStealer, according to cybersecurity firm Jamf Threat Labs. If successful, the malware could steal users’ passwords and crypto wallet keys.
“We are tracking this malware under the name PamStealer after one of its core behaviors: validating the victim’s login password through the macOS Pluggable Authentication Modules (PAM) before harvesting it,” Jamf Threat Labs wrote.
From there, the malware uses JavaScript for Automation and native macOS APIs to download a second-stage payload without relying on common shell utilities such as curl or zsh, reducing the number of processes security tools can observe.
"With many stealers, we have seen attackers purchasing Google Ad space to lure users to the malicious app. We have recently observed malicious ads being hosted on X as well,” Jamf Threat Labs Director Jaron Bradley told Decrypt. “These social engineering techniques have proven to be highly successful."
According to the report, the second stage is a Rust-based binary designed for Apple Silicon Macs that disguises itself as Finder or Software Update.
“Rather than storing its configuration in cleartext, the dropper derives a key from a fingerprint of the host—including its CPU architecture, locale, keyboard layout, and time zone—and uses it to unlock an encrypted, integrity-checked configuration containing the payload URL and installation path,” the company said.
Once installed, the malware can steal browser credentials and Keychain data, monitor clipboard contents, establish persistence, and send stolen information to a remote command-and-control server using encrypted communications. If it can't verify that it's running on its intended target, then it quietly shuts itself down.
The malware also attempts to expand its access by displaying a fake Finder alert asking users to grant Full Disk Access. The prompt can appear up to 40 minutes after infection, making it less likely that users will associate it with the original download. If approved, the malware can access protected data, including Mail, Messages, and Time Machine backups.
According to Bradley, Jamf has not observed any evidence that PamStealer is active in the wild; however, the company notified Apple of its findings. Apple did not immediately respond to a request for comment by Decrypt.
Jamf said it is seeing similar social engineering techniques spread to other platforms.
In an X post last week, the company said it was investigating a sponsored
“The
The findings come as attackers increasingly disguise malware as legitimate software and abuse trusted developer platforms and advertising channels. Recent campaigns have included a fake OpenAI repository that reached the top of Hugging Face's trending projects before distributing a Rust-based infostealer, a malicious Visual Studio Code extension that GitHub said exposed roughly 3,800 internal repositories, and the Shai-Hulud software supply-chain campaign targeting development tools used by AI companies including OpenAI and Mistral AI.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.