New Malware Disguised as Clipboard App Targets Password Theft

Jamf Threat Labs has exposed a new malware campaign targeting Mac users by disguising a malicious app as the popular Maccy clipboard manager, revealing a sophisticated infostealer that can hijack passwords and cryptocurrency keys. This discovery underscores the importance of vigilance in the digital age, especially as cybercriminals increasingly leverage legitimate-looking sponsored ads to distribute threats.

Magnus Oliver

New Malware Disguised as Clipboard App Targets Password Theft

Imagine searching for a simple productivity tool only to fall prey to a meticulously crafted trap. This scenario isn't a hypothetical cautionary tale but a stark reality for some Mac users. Jamf Threat Labs recently uncovered a deceptive campaign that masquerades a malware-infested app as the benign Maccy clipboard manager.

The cleverly disguised Rust-based infostealer, dubbed PamStealer, not only validates victims' passwords using macOS's Pluggable Authentication Modules (PAM) but also pilfers crypto wallet keys. The process starts innocuously enough on a lookalike website, prompting downloads of a malicious disk image with an AppleScript file cunningly hidden among legitimate instructions. It's an old trick in a new guise, relying on user trust and familiarity to deliver its payload-an encrypted, integrity-checked configuration that unleashes the second-stage malware specifically tailored for Apple Silicon Macs.

The ingenuity of PamStealer doesn't stop there. If activated, the stealer gains extensive access to the system-monitoring clipboard contents, stealing browser credentials, and even sending this data to a remote server under the veil of encrypted communications. The malware's ability to present itself as benign software like Finder or Software Update until the eleventh hour exacerbates its potential harm. A surprising twist in its modus operandi involves a delayed fake alert that requests Full Disk Access-a masterstroke in patience and psychological manipulation which enables deeper system infiltration.

What makes this especially sinister is the use of sponsored advertisements on platforms like X to spread the malware, as noted by Jaron Bradley of Jamf, highlighting a worrying trend in cyberattack vectors. This method capitalizes on a layer of perceived legitimacy, often convincing users of its genuineness. While Jamf has yet to see PamStealer active outside its controlled observations and notified Apple about this threat, the implications ring loud for cybersecurity.

For those entwined in fintech and particularly cryptocurrency, this serves as a reminder that security is not just a feature but a necessity. In our latest Radom Insights post, we delve into how such malware can impact not just individual users but also the integrity of secure transaction environments, much like those facilitated by crypto payment links. Vigilance and skepticism towards unknown sources, and perhaps a renewed scrutiny of sponsored ads, might just save your digital bacon.

As fintech experts, let's not forget that with great technology comes great responsibility-both in its development and its use.

Sign up to Radom to get started