This new macOS infostealer poses as an Apple crash reporting tool to try and steal all your valuable data

The menu bar running in macOS.
(Image credit: Herry Sucahya on Unsplash)

  • Jamf researchers uncover “CrashStealer,” a notarized macOS infostealer disguised as Apple’s CrashReporter
  • Distributed via a fake site called “Werkbit Setup”, it bypasses Gatekeeper, installs a LaunchAgent
  • It then uses a fake password prompt to unlock Keychain, exfiltrating credentials, cookies, files, and data from 80 crypto wallets and 14 password managers

A new macOS infostealer has been spotted in the wild, masquerading as an Apple crash reporting tool, experts have warned.

Called CrashStealer, this C++ infostealer was designed to nab login credentials, keychain information, as well as data related to more than 80 cryptocurrency wallets.

Cybersecurity researchers Jamf published an in-depth report on the malware, noting CrashStealer is most likely distributed via a fake software site that was only registered recently.

Latest Videos From

Unlocking Keychain

Victims who land on the site (either via a social media recommendation or search engine results) need to know the PIN code before initiating the download. This was most likely done to avoid analyst scrutiny, as well as to increase perceived credibility and a sense of exclusivity.

Usually, apps downloaded from third-party sources are scanned by Gatekeeper, Apple’s built-in security system. However, Jamf says that this payload is delivered via a signed and Apple-notarized installer and distributed as a disk image named “Werkbit Setup”, which allowed it to bypass Gatekeeper without any warnings.

Those that download and run the program will get a binary named ‘CrashReporter.app’, which will create a LaunchAgent (‘com.apple.crashreporter.helper’), and will see a fake macOS password prompt.

That prompt unlocks the user’s Keychain where most of their secrets are stored (passwords, private cryptographic keys, and more) and then exfiltrates all information to a third-party server.

Besides Keychain data, the CrashReporter malware also pulls browser credentials and cookies from most browsers, data from 80 cryptocurrency wallet extensions, 14 password managers, locally stored files, and more.

Jamf said CrashReporter overlaps, to some extent, with other known infostealers (AMOS, for example), but is still unique enough given its client-side encryption mechanism, as well as the native C++ implementation.


Best antivirus software header
The best antivirus for all budgets

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.


TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.