Newly discovered PamStealer isn't your typical macOS malware
Back to Tutorials
techTutorialbeginner

Newly discovered PamStealer isn't your typical macOS malware

July 2, 202628 views5 min read

Learn how to analyze suspicious macOS files using basic Terminal commands to understand malware threats like PamStealer. This beginner-friendly tutorial teaches essential malware analysis techniques using common command-line tools.

Introduction

In this tutorial, you'll learn how to analyze macOS malware using basic command-line tools and techniques that security researchers employ. We'll focus on understanding how to examine suspicious files on a Mac system, which is crucial knowledge for anyone interested in cybersecurity or protecting their Mac from threats like the newly discovered PamStealer malware.

Understanding how malware works on macOS systems helps you recognize potential threats and protect your computer. This tutorial will guide you through the fundamental steps of malware analysis using simple terminal commands that every Mac user can follow.

Prerequisites

To complete this tutorial, you'll need:

  • A Mac computer running macOS (any recent version will work)
  • Basic familiarity with using the Terminal application
  • Access to a suspicious file or sample (for educational purposes only)
  • Administrator privileges on your Mac

Step-by-Step Instructions

1. Open Terminal and Navigate to Your Working Directory

First, you need to open the Terminal application, which is your gateway to examining files on macOS. You can find it in Applications > Utilities > Terminal, or use Spotlight Search (Cmd + Space) and type 'Terminal'.

When you open Terminal, you'll see a command prompt. The first step is to navigate to the directory containing your suspicious file. If you're working with a sample file, you might have downloaded it to your Downloads folder.

cd ~/Downloads

This command changes your current directory to the Downloads folder. The tilde (~) represents your home directory, and cd stands for 'change directory'.

2. List Files in Your Directory

Before examining any specific file, it's helpful to see what files you're working with. Use the ls command to list all files in the current directory:

ls -la

The -l flag shows detailed information about each file, including permissions and ownership, while -a shows hidden files. This helps you identify your suspicious file among others.

3. Check File Type and Basic Information

Now that you've located your file, use the file command to determine what type of file it is:

file suspicious_file

This command tells you if the file is a binary, script, or other type. For example, it might show 'Mach-O executable' for macOS binaries, which is important information when analyzing malware.

4. Examine File Permissions

Malware often has unusual permissions that can indicate malicious intent. Check the permissions of your suspicious file:

ls -l suspicious_file

Look at the first column of output. If you see something like 'rwxrwxrwx' (all users have read, write, and execute permissions), this could be a red flag, as legitimate system files typically have more restrictive permissions.

5. Check File Size and Creation Date

Malware often has unusual file sizes or timestamps. Use the following command to get detailed file information:

stat suspicious_file

This shows the file size, creation date, modification date, and other metadata. Compare these dates with what you'd expect for a legitimate application.

6. Analyze the File's Contents with Strings

The strings command extracts printable character sequences from binary files, which can reveal URLs, paths, or other text that malware might be using:

strings suspicious_file | grep -i 'http\|url\|com\|net'

This command searches for web-related terms within the file. If you see suspicious URLs or domain names, it might indicate the malware is trying to communicate with external servers.

7. Use Hexdump to View Raw Data

For deeper analysis, you can examine the raw hexadecimal representation of the file:

hexdump -C suspicious_file | head -20

This shows the first 20 lines of hexadecimal data. While this requires some expertise to interpret, you might notice unusual patterns or embedded strings that don't belong in normal applications.

8. Check for Hidden Resources

On macOS, applications often contain hidden resources. Use this command to check for them:

ls -la suspicious_file

Look for any hidden files or directories that might contain additional malicious code. On macOS, files starting with a dot are hidden, so this command shows all files including hidden ones.

9. Verify File Integrity with Hashes

Malware often gets modified from its original form. Calculate the file's hash to compare with known good values:

shasum suspicious_file

Compare this hash with known good hashes for the same file from trusted sources. If they don't match, the file might have been tampered with.

10. Safe Removal of Suspicious Files

If you've determined a file is malicious, it's important to remove it safely:

rm -rf suspicious_file

The -r flag removes directories recursively, and -f forces removal without confirmation. Be extremely careful with this command, as it permanently deletes files.

Summary

In this tutorial, you've learned fundamental techniques for analyzing suspicious files on macOS systems. You've discovered how to use basic Terminal commands to examine file types, permissions, contents, and metadata. These skills are essential for understanding how malware like PamStealer operates on Mac systems.

Remember that while these tools help you analyze threats, they're most effective when combined with other security measures like keeping your system updated, using antivirus software, and being cautious about downloading files from unknown sources. The goal isn't to become a malware developer, but to understand these threats so you can protect yourself and others.

Always practice malware analysis on files you own or have explicit permission to examine. Never analyze files from unknown sources without proper security measures in place.

Source: Ars Technica

Related Articles