Advertisement
Security

CrashStealer Malware Mimics Apple Tools to Exfiltrate Keychain Data

A newly identified macOS infostealer leverages Apple-notarized installers to bypass system security and harvest sensitive user data.

·5 hours ago·2 min read
red padlock on black computer keyboard
Photo by FlyD on Unsplash
Advertisement

Cybersecurity researchers have identified a sophisticated new threat targeting macOS users, known as CrashStealer. This information-stealing malware masquerades as an official Apple crash-reporting utility, carefully mimicking the appearance and operational metadata of legitimate system software to deceive both users and automated security defenses.

The Anatomy of a Disguised Threat

Active development of this malicious software appears to have begun in May, with field observations confirming its deployment in actual attacks by early July. To maintain a facade of legitimacy, the malware utilizes the name ‘CrashReporter.app’ and installs a specific LaunchAgent labeled ‘com.apple.crashreporter.helper’. By adopting the icons and metadata associated with genuine Apple tools, the attackers attempt to lower the threshold of suspicion for their victims.

Perhaps most concerning is the distribution method identified by security experts. The payload is packaged within a signed and Apple-notarized installer, which allows it to circumvent macOS Gatekeeper protections seamlessly. According to Jamf's analysis, this notarization provides a veneer of trust that effectively neutralizes standard OS-level warnings that would typically flag unauthorized or suspicious executables.

Jamf researchers say that the CrashStealer campaign is a careful operation focused on stealth by using a signed and notarized malware dropper and a payload that re-signs itself for persistence.

Targeting the Digital Keychain

Upon execution, the malware prompts the user for their system password under the guise of an administrative requirement. This interaction is designed specifically to unlock the macOS Keychain, granting the attackers access to saved browser logins, Wi-Fi credentials, and private cryptographic keys. The malware confirms the password locally using the ‘dscl’ utility, ensuring that it only proceeds once it has successfully verified the credentials.

Once access is secured, the malware scans for a wide variety of high-value targets across the host machine:

  • Data from over 80 cryptocurrency wallet extensions, such as MetaMask, Phantom, and Coinbase Wallet.
  • Credentials and cookies harvested from Firefox and various Chromium-based browsers.
  • Sensitive information stored across 14 distinct password managers, including 1Password, Bitwarden, and LastPass.
  • AES-256-GCM encryption is utilized to protect stolen data before it is exfiltrated to command-and-control servers via libcurl.

Strategic Stealth and Persistence

The campaign exhibits a high degree of operational caution. The primary installer, dubbed “Werkbit Setup,” is hosted on fraudulent websites that require a specific meeting PIN to access the download, effectively gating the malware to targeted individuals. To maintain a long-term footprint on an infected system, the malware employs a re-signing mechanism that alters the binary's hash while leaving the underlying code intact, helping it avoid detection by signature-based security tools.

While this malware shares objectives with other established families like Atomic, MacSync, and Phexia, its reliance on native C++ implementation and specialized client-side encryption sets it apart. For organizations, the existence of this threat highlights the dangerous assumption that notarized software is inherently safe. Security teams must prioritize Test every layer before attackers do to ensure that signature-based defenses are supplemented by behavioral analysis, as attackers increasingly use legitimate OS infrastructure to hide their tracks from both users and endpoint protection systems.

#macos#malware#infostealer#cybersecurity#apple
← Back to all stories
Advertisement