A brand new macOS information-stealing malware referred to as CrashStealer disguises itself as Apple’s crash reporting device and steals credentials, keychain knowledge, and crypto wallets.
Malware researchers started monitoring the malware in Might, when it seemed to be nonetheless in growth, however noticed it being utilized in assaults in early July.
CrashStealer has a typical infostealer characteristic set that appears to give attention to a password supervisor and over 80 crypto pockets extensions.
notarized malware dropper
The CrashStealer infostealer binary makes use of the title “CrashReporter.app” to impersonate Apple’s system parts in an try to evade person monitoring and potential safety instruments.
Along with the title, the malware additionally creates a LaunchAgent named “com.apple.crashreporter.helper” that makes use of the respectable device’s icon and metadata to resemble the respectable device as a lot as doable.
Based on researchers at Jamf, an organization that gives administration and safety options for Apple units, the payload is delivered by means of an installer (“Werkbit Setup”) that’s signed and notarized by Apple.
This lets you silently bypass Gatekeeper, the anti-malware characteristic constructed into macOS.

Supply: Jamf Labs
As soon as launched, the malware shows a faux macOS password immediate to trick customers into believing they’re authorizing respectable system operations that require administrator privileges.
This password can unlock the person’s keychain. A keychain accommodates regionally saved secrets and techniques and acts as an encrypted password vault for macOS. Usually contains Safari logins, Wi-Fi passwords, software passwords, non-public encryption keys, certificates, and tokens.

Supply: Jamf Labs
As soon as a password is supplied, the malware validates the password regionally utilizing ‘dscl’ (Listing Providers Command Line). If not, CrashStealer returns an authentication error and prompts the person to enter it once more.
Jamf’s evaluation reveals that other than keychain knowledge, CrashStealer additionally targets the next knowledge:
- Browser credentials and cookies from Chromium-based browsers and Firefox
- 80 cryptocurrency pockets extensions together with MetaMask, Phantom, Coinbase Pockets, Belief Pockets, Rabby, Exodus, Keplr, Solflare
- 14 password managers (together with 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, RoboForm)
- Information from person directories equivalent to Paperwork and Downloads whereas deliberately skipping giant media recordsdata, installers, and system directories
Earlier than exfiltrating the stolen knowledge, CrashStealer encrypts the information utilizing the AES-256-GCM algorithm, a really highly effective technique for this sort of operation, packages it right into a hidden ZIP archive, and makes use of libcurl to add the compressed knowledge to a command and management (C2) server.
Jamf researchers say that regardless of overlap in goal with different infostealer households (equivalent to Atomic, MacSync, and Phexia), CrashStealer is exclusive attributable to its client-side encryption mechanism and native C++ implementation.
Jamf didn’t present particulars on precisely how CrashStealer was initially distributed, however it’s price noting that the primary stage payload (Werkbit Setup) is hosted on a faux software program web site that was registered in late June.

Supply: Jamf Labs
Payload obtain is gated by the convention PIN, indicating that the marketing campaign is restricted to guests who present the right code.
Jamf researchers say the CrashStealer marketing campaign is a deliberate operation centered on stealth, utilizing a signed and notarized malware dropper and a payload that resigns itself for persistence.
The aim of the re-signing course of is to rewrite the code signing knowledge throughout the binary. This causes the recordsdata to have totally different hashes though the code has not modified.
Jamf’s report on CrashStealer shares an in depth set of compromise indicators, together with the title and hash of the malicious device, and particulars about supply infrastructure and file system artifacts.
Safety groups doc 54% of profitable assaults and concern a warning on solely 14%. The remainder strikes invisibly by means of the surroundings.
Picus’ whitepaper reveals the best way to take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
