A Not So Friendly Reminder Your Apple Isn’t Actually Immune To Infection
Those who are running a Mac with an Apple built CPU should be very careful when installing a clipboard manager app called Maccy, as there is a rather nasty infection being distributed. The app from the official page is still safe, but there are always sites out there claiming to offer a different source for apps. PamStealer is a mix of familiar and new, with a disturbingly quiet infection vector.
As with most Apple malware, it was compiled in AppleScript and presents as a disk image, but once installed it makes use of a JavaScript for Automation downloader instead of the more traditional curl or zsh vector. When you install the infected version of Maccy, you get a prompt to hit Command-R once it finishes, a little odd but not enough to make every user suspicious. This is followed by a pop up which resembles a system prompt and a request the user enter their password, along with a comforting message that this is just because Maccy needs to make some changes. Once you enter your password and PamStealer validates it locally through PAM, you get an error that there was an issue with the package and it didn’t install. No harm, no foul, right?
Meanwhile, behind the scenes that JXA process has loaded a Rust-based second stage and the password prompt, which was generated via AppleScript is able to bypass any com.apple.quarantine warnings. The Rust process is able to appear to the system as if it was a Finder process, which lets it avoid easy detection and it also significantly delays any system warnings such as a prompt about an app needing Full Disk Access for almost an hour so a user might not associate it with that failed Maccy install.