A new macOS information-stealing malware called CrashStealer pretends to be Apple's crash-reporting tool to steal credentials, keychain data, and crypto wallets.
Malware researchers started tracking the malware in May, when it appeared to still be in development, but observed it being used in attacks in early July.
CrashStealer has a typical infostealer capability set that seems to focus on password managers and more than 80 crypto wallet extensions.
Notarized malware dropper
The CrashStealer infostealer's binary impersonates Apple's system component by taking the name ‘CrashReporter.app,’ in an attempt to evade users’ scrutiny and potentially security tools.
Besides the name, the malware also creates a LaunchAgent named ‘com.apple.crashreporter.helper’ and uses the legitimate tool’s icon and metadata to resemble the legitimate tool as much as possible.
According to researchers at Jamf, a company that offers management and security solutions for Apple devices, the payload is delivered via a signed and Apple-notarized installer (“Werkbit Setup”).
This allows it to bypass Gatekeeper, the built-in anti-malware on macOS, without any warnings.
The signed dropper
Source: Jamf Labs
... continue reading