- Jamf Researchers Discover “CrashStealer,” a Notary-Certified macOS Data Stealer Disguised as Apple’s CrashReporter
- Distributed through a fake site called “Werkbit Setup”, bypass Gatekeeper and install a LaunchAgent
- It then uses a fake password request to unlock the keychain, extracting credentials, cookies, files and data from 80 crypto wallets and 14 password managers.
A new macOS information thief has been detected, posing as an Apple crash reporting tool, experts have warned.
Called CrashStealer, this C++ data stealer was designed to obtain login credentials, keychain information, and data related to over 80 cryptocurrency wallets.
Cybersecurity researchers Jamf published a detailed report on the malware, noting that CrashStealer is likely distributed through a fake software site that was recently registered.
Unlock keychain
Victims who access the site (either through a social media recommendation or search engine results) need to know the PIN code before starting the download. This was most likely done to avoid analyst scrutiny, as well as to increase perceived credibility and a sense of exclusivity.
Typically, Gatekeeper, Apple’s built-in security system, scans apps downloaded from third-party sources. However, Jamf says that this payload is delivered via an Apple-certified and signed installer and is distributed as a disk image called “Werkbit Setup”, which allowed it to bypass Gatekeeper without any warning.
Those who download and run the program will get a binary called ‘CrashReporter.app’, which will create a LaunchAgent (‘com.apple.crashreporter.helper’) and will see a fake macOS password prompt.
That message unlocks the user’s keychain where most of their secrets (passwords, private cryptographic keys, and more) are stored and then leaks all the information to a third-party server.
In addition to Keychain data, CrashReporter malware also extracts browser credentials and cookies from most browsers, data from 80 cryptocurrency wallet extensions, 14 password managers, locally stored files, and more.
Jamf said that CrashReporter overlaps, to some extent, with other well-known information stealers (AMOS, for example), but is still quite unique given its client-side encryption mechanism as well as the native C++ implementation.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




