- Jamf researchers discover “CrashStealer”, a notarized macOS information stealer disguised as Apple’s CrashReporter.
- Distributed via a fake site called “Werkbit Setup”, it bypasses Gatekeeper, installs a LaunchAgent
- It then uses a fake password prompt to unlock the keychain, exfiltrating credentials, cookies, files and data from 80 crypto wallets and 14 password managers.
A new macOS information stealer has been spotted in the wild, masquerading as an Apple crash reporting tool, experts have warned.
Called CrashStealer, this C++ infostealer was designed to recover login credentials, keychain information, and data related to over 80 cryptocurrency wallets.
Cybersecurity researchers Jamf published a detailed report on the malware, noting that CrashStealer is most likely distributed through a fake software site that was only recently registered.
Unlocking the keychain
Victims who access the site (either through a recommendation on social media or through search engine results) must know the PIN before starting the download. This was likely done to avoid analyst scrutiny, as well as to increase perceived credibility and a sense of exclusivity.
Usually, apps downloaded from third-party sources are scanned by Gatekeeper, Apple’s built-in security system. However, Jamf says this payload is delivered via an installer signed and notarized by Apple and distributed as a disk image named “Werkbit Setup”, which allowed it to bypass Gatekeeper without any warning.
Those who download and run the program will receive a binary named “CrashReporter.app”, which will create a LaunchAgent (“com.apple.crashreporter.helper”) and see a fake macOS password prompt.
This prompt unlocks the user’s keychain where most of their secrets (passwords, private cryptographic keys, etc.) are stored, then exfiltrates all the information to a third-party server.
Besides keychain data, CrashReporter malware also extracts credentials and cookies from most browsers, data from 80 cryptocurrency wallet extensions, 14 password managers, locally stored files, etc.
Jamf said that CrashReporter overlaps, to some extent, with other known information stealers (AMOS, for example), but remains unique enough given its client-side encryption mechanism, as well as its native C++ implementation.

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




