- Jamf researchers reveal “CrashStealer”, a notarized macOS infostealer masquerading as Apple’s CrashReporter
- Distributed via a fake site called “Werkbit Setup”, it bypasses Gatekeeper, installs a LaunchAgent
- It then uses a fake password prompt to unlock Keychain, exfiltrating credentials, cookies, files and data from 80 crypto wallets and 14 password managers
A new macOS infostealer has been discovered in the wild disguised as an Apple crash reporting tool, experts have warned.
Called CrashStealer, this C++ infostealer is designed to find login credentials, keychain information, as well as data related to more than 80 cryptocurrency wallets.
Cybersecurity researchers Jamf published an in-depth report on the malware, noting that CrashStealer is most likely distributed via a fake software website that was only recently detected.
Unlocks key ring
Victims who land on the site (either through a social media recommendation or search engine results) must know the PIN before starting the download. This was most likely done to avoid analyst scrutiny as well as to increase perceived credibility and a sense of exclusivity.
Normally, apps downloaded from third-party sources are scanned by Gatekeeper, Apple’s built-in security system. However, Jamf says this payload is delivered via a signed and Apple-notarized installer and distributed as a disk image called “Werkbit Setup”, which allowed it to bypass Gatekeeper without any warnings.
Those who download and run the program will get a binary named ‘CrashReporter.app’ which will create a LaunchAgent (‘com.apple.crashreporter.helper’) and will see a fake macOS password prompt.
This prompt unlocks the user’s keychain, where most of their secrets are stored (passwords, private cryptographic keys, and more) and then exfiltrates all information to a third-party server.
In addition to keychain data, the CrashReporter malware also pulls browser information and cookies from most browsers, data from 80 cryptocurrency wallet extensions, 14 password managers, locally stored files, and more.
Jamf said that CrashReporter overlaps to some extent with other known infostealers (AMOS, for example), but is still unique enough given its client-side encryption mechanism as well as the native C++ implementation.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



