CrashStealer Malware Disguised as Apple Crash Reporting Tool

A new macOS information stealer called CrashStealer pretends to be Apple's CrashReporter application, using the tool's name, icon, and metadata while creating a LaunchAgent named com.apple.crashreporter.helper to evade detection. The malware is delivered through a signed and Apple-notarized installer named Werkbit Setup that bypasses Gatekeeper without warnings, then displays a fake macOS password prompt to capture credentials. The captured password unlocks the user's Keychain containing Safari logins, Wi-Fi passwords, application passwords, private cryptographic keys, and certificates.

CrashStealer targets browser credentials and cookies from Chromium-based browsers and Firefox, over 80 cryptocurrency wallet extensions including MetaMask and Phantom, and 14 password managers including 1Password, Bitwarden, and LastPass. The malware also steals files from user directories while skipping large media files and system folders, encrypting exfiltrated data using AES-256-GCM before uploading to command-and-control servers via libcurl. The malware was first tracked in May during development and observed in active attacks by early July.

Jamf researchers note CrashStealer's distinct client-side encryption mechanism and native C++ implementation set it apart from other infostealer families. The first-stage payload is hosted on a fake software site registered in late June, with downloads gated behind a meeting PIN suggesting a targeted campaign. The malware re-signs itself for persistence, rewriting code-signature data to produce different hashes while the code remains unchanged. The operation focuses on stealth through signed and notarized droppers and careful deployment tactics.

Read more...

Read More

Got Something To Say?

Your email address will not be published.