Advertisement
Security

CrashStealer Malware Evades MacOS Defenses via Signed Notarization

A sophisticated new C++ information stealer leverages legitimate Apple developer IDs to bypass Gatekeeper and harvest user credentials.

·3 hours ago·2 min read
a black apple on a white tablet
Photo by Omar Al-Ghosson on Unsplash
Advertisement

The landscape of MacOS threats is shifting as attackers pivot toward more technically robust methods of infiltration. Recent analysis of a novel strain dubbed CrashStealer reveals a sophisticated operational model that prioritizes persistence and evasion over simple volume, leveraging native code to bypass traditional detection mechanisms.

Notarization as a Tool for Deception

Rather than relying on basic script-based wrappers, this Malware is implemented in C++. Its primary distribution vector involves a disk image known as "Werkbit.app," which is notably signed and Apple-notarized under the developer ID "Emil Grigorov (WWB7JA7AQV)." By utilizing these legitimate credentials, the malicious dropper successfully circumvents Apple’s Gatekeeper security checks, effectively masquerading as authorized software.

"It validates the victim's login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers, and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself," security researcher Thijs Xhaflaire said in a report shared with The Hacker News.

Targeted Delivery and Hidden Execution

The campaign exhibits a high level of operational security, with the installer hosted on a domain registered in June 2026. Access to the malicious payload is restricted behind a meeting PIN, ensuring that only targeted individuals can retrieve the disk image. Upon execution, the malware initiates a multi-stage infection process, reaching out to a GitHub repository to fetch a payload that eventually lands in the "/tmp" directory, setting the stage for wide-scale data theft.

Extensive Scope of Data Collection

Once active, the threat actor establishes a LaunchAgent to maintain access while deploying layers of anti-debugging and control-flow flattening to resist analysis. The scope of information compromised by this operation is significant, targeting high-value assets across the following categories:

  • Credentials from Chromium-family browsers including Google Chrome, Brave, Microsoft Edge, Opera, Opera GX, Vivaldi, Chromium, and Naver Whale.
  • Roughly 80 cryptocurrency wallet extensions, such as MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, and Backpack.
  • Data from 14 password managers including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, and RoboForm.
  • Exfiltration of files from the ~/Documents and ~/Downloads directories.

Consequences for Endpoint Integrity

The emergence of CrashStealer signals a critical evolution in endpoint security challenges, where the use of notarized droppers complicates the efficacy of standard behavioral defenses. For businesses and individual users, this creates a heightened risk profile, as even software that passes initial OS security checks may harbor malicious functionality. The reliance on AES-GCM encryption for exfiltrated data through the attacker-controlled server at 179.43.166.242 highlights that modern threats are becoming increasingly adept at hiding their tracks, making robust endpoint monitoring and user vigilance regarding file provenance more essential than ever.

#macos#malware#infostealer#cybersecurity#apple
← Back to all stories
Advertisement