Skip to content
This new macOS infostealer poses as an Apple crash reporting tool to try and steal all your valuable data
TechRadar
TechnologyTechRadar··2 min read

This new macOS infostealer poses as an Apple crash reporting tool to try and steal all your valuable data

Jamf researchers uncover “CrashStealer,” a notarized macOS infostealer disguised as Apple’s CrashReporter

Distributed via a fake site called “Werkbit Setup”, it bypasses Gatekeeper, installs a LaunchAgent

It then uses a fake password prompt to unlock Keychain, exfiltrating credentials, cookies, files, and data from 80 crypto wallets and 14 password managers

A new macOS infostealer has been spotted in the wild, masquerading as an Apple crash reporting tool, experts have warned.

Called CrashStealer, this C++ infostealer was designed to nab login credentials, keychain information, as well as data related to more than 80 cryptocurrency wallets.

Cybersecurity researchers Jamf published an in-depth report on the malware, noting CrashStealer is most likely distributed via a fake software site that was only registered recently.

Unlocking Keychain

Victims who land on the site (either via a social media recommendation or search engine results) need to know the PIN code before initiating the download. This was most likely done to avoid analyst scrutiny, as well as to increase perceived credibility and a sense of exclusivity.

Usually, apps downloaded from third-party sources are scanned by Gatekeeper, Apple’s built-in security system. However, Jamf says that this payload is delivered via a signed and Apple-notarized installer and distributed as a disk image named “Werkbit Setup”, which allowed it to bypass Gatekeeper without any warnings.

Those that download and run the program will get a binary named ‘CrashReporter.app’, which will create a LaunchAgent (‘com.apple.crashreporter.helper’), and will see a fake macOS password prompt.

That prompt unlocks the user’s Keychain where most of their secrets are stored (passwords, private cryptographic keys, and more) and then exfiltrates all information to a third-party server.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Besides Keychain data, the CrashReporter malware also pulls browser credentials and cookies from most browsers, data from 80 cryptocurrency wallet extensions, 14 password managers, locally stored files, and more.

Jamf said CrashReporter overlaps, to some extent, with other known infostealers (AMOS, for example), but is still unique enough given its client-side encryption mechanism, as well as the native C++ implementation.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View original source — TechRadar