Researchers at Jamf have identified a new macOS information-stealing malware called CrashStealer that disguises itself as Apple’s own crash-reporting utility. The malware was first spotted in May while apparently still under development, with active attacks observed beginning in early July.
CrashStealer names its binary ‘CrashReporter.app’ and creates a LaunchAgent called ‘com.apple.crashreporter.helper,’ copying the icon and metadata of Apple’s legitimate tool to avoid raising suspicion. According to Jamf, the payload is delivered through a signed and Apple-notarized installer named ‘Werkbit Setup,’ which allows it to bypass Gatekeeper without triggering any security warnings.
Fake Password Prompt Targets the Keychain
Once launched, CrashStealer displays a spoofed macOS password prompt designed to convince victims they are authorizing a routine system operation. In reality, entering the password can unlock the user’s Keychain, the encrypted vault that stores Safari logins, Wi-Fi credentials, application passwords, private keys, certificates, and tokens. The malware validates entered passwords locally using the ‘dscl’ command-line tool and re-prompts users if the password is incorrect, reinforcing the illusion of a legitimate system dialog.
Broad Data Collection Scope
Beyond Keychain data, Jamf’s analysis shows CrashStealer also targets:
- Browser credentials and cookies from Chromium-based browsers and Firefox
- 80 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, Exodus, Keplr, and Solflare
- 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, and RoboForm
- Files from Documents and Downloads folders, while skipping large media files, installers, and system directories
Before exfiltration, CrashStealer encrypts stolen data with AES-256-GCM, an unusually strong method for this class of malware, then packages it into hidden ZIP archives and uploads it to a command-and-control server using libcurl. Jamf notes this client-side encryption and the malware’s native C++ implementation distinguish it from other macOS infostealer families such as Atomic, MacSync, and Phexia.
Gated Distribution and Persistence Tricks
Jamf has not fully detailed CrashStealer’s initial infection vector but found the Werkbit Setup installer hosted on a fake software site registered in late June. Downloading the payload requires a meeting PIN, suggesting the campaign is limited to a select set of targeted visitors. The malware also re-signs itself periodically, rewriting code-signature data to alter its file hash without changing the underlying code, a technique aimed at evading hash-based detection and maintaining persistence.
Jamf’s report includes indicators of compromise covering malicious tool names, file hashes, delivery infrastructure, and filesystem artifacts, which security teams can use to hunt for signs of compromise.
