Mac users should be wary of macOS malware called CrashStealer, according to Jamf Threat Labs. The malware impersonates Apple’s crash reporting framework and is intended to steal all sorts of sensitive information.
CrashStealer collects browser data, password manager data, cryptocurrency wallet extensions, and keychain data, and Jamf first noticed it was circulating in a fake app notarized by Apple called Werkbit. With notarization, the malware is not stopped by Gatekeeper, which is part of the macOS security system.
It targets over 80 cryptocurrency wallet extensions and 14 password managers like 1Password, LastPass, and Dashlane. It searches the Document and Downloads folders for information worth collecting.
The app appears legitimate and uses a typical macOS installation procedure for software downloaded via the web, with the process detailed on Jamf’s website. A fake CrashReporter.app is uploaded via Werkbit and is intended to impersonate Apple’s own crash reporter. A user clicking on the app would likely consider it a legitimate Apple utility.
It requests full disk access “for system administration” and uses a native password prompt that looks like a real macOS permission request. The entered password is used to access the login keychain. The collected data is encrypted with AES-256-GCM via Apple’s CommonCrypto and sent to the attacker’s IP address.
Jamf says the way CrashStealer has been implemented “shows real care”, with the obfuscation steps setting it apart from standard infostealers. The malware was reported to Apple after it was first spotted in May and actively used in July.
Apple revoked the Werkbit app’s signing information, so the specific attack vector described by Jamf was disabled, but the malware could reappear. The original version was protected by a PIN required for installation, suggesting it was intended for specific people.
Apple’s notarization system is intended to protect Mac users from malware, and Apple says notarized apps are checked for malicious components. CrashStealer makes it clear that there are methods to hide malware from Apple’s security process.
When downloading software, users can protect themselves from CrashStealer knowing that Apple’s crash reporter is built-in. Any download using CrashReporter is a red flag, as is an application that asks for a system password upon launch.
