New macOS malware steals passwords by posing as Apple’s crash-reporting tool

New macOS malware steals passwords by posing as Apple's crash-reporting tool

Jamf Threat Labs has uncovered a new macOS infostealer named CrashStealer that disguises itself as Apple’s crash-reporting tool to steal passwords, Keychain data, and cryptocurrency wallets.

The malware was first spotted in May while it was still under development. By early July, Jamf was seeing in-the-wild detections, indicating it had moved into active use.

“Unlike much of the commodity stealer activity on macOS, which is built on AppleScript droppers or thin Objective-C wrappers, CrashStealer is implemented in native C++ around an internal class the authors named MacOSData,” the researchers wrote.

“It validates the victim’s login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers and the Keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself.”

Signed installer starts the attack

The attack starts with a disk image named “Werkbit Setup.” When opened, it mounts a volume containing a single application, Werkbit.app. Its executable, named veltod, launches the next stage of the infection.

CrashStealer macOS infostealer

Werkbit Setup (Source: Jamf)

The dropper is a universal binary signed with the Developer ID “Emil Grigorov (WWB7JA7AQV)” and carries a stapled notarization ticket. This lets it pass Gatekeeper, macOS’s built-in protection against untrusted software, on first launch.

“Notably, the disk image itself is signed as well, not just the application inside it, which is uncommon in malicious DMG delivery where the container is typically left unsigned,” they added.

Jamf reported the Developer Team ID behind the signature to Apple after confirming its use in the campaign.

The installer was hosted on werkbit[.]io, a domain registered in late June, close to the build date of the dropper analyzed. Downloading it requires a meeting PIN, limiting access to people who already have the code. The report links the activity to other domains and shared infrastructure, indicating CrashStealer is one piece of a broader operation.

GitHub delivers the next stage

After launch, the veltod executable contacts a GitHub repository and downloads a file that supplies a command to fetch a script from a separate server. The script decodes its commands at runtime before downloading the next stage.

The script downloads CrashReporter.dmg, mounts it, and copies the application bundle into a hidden folder before deleting the disk image. The payload uses the icon, display name, and bundle identifier of Apple’s crash-reporting component to resemble a system utility.

Malware targets passwords, browsers, and cryptocurrency wallets

CrashStealer displays a password prompt designed to look like a macOS system dialog. It checks the password locally with the dscl command, a built-in macOS tool used to verify user credentials, and asks again if the password is wrong.

After receiving the correct password, the infostealer unlocks the login Keychain and copies it into a hidden staging folder. It also collects data from Documents, Downloads, and other user folders, skipping executables, installers, disk images, and bulky archive or media files to limit the amount of data collected.

It also targets Chromium browser profiles, Firefox login data, about 80 cryptocurrency wallet extensions such as MetaMask, Phantom, Coinbase Wallet, Trust Wallet, and Exodus, as well as 14 password managers, among them 1Password, Bitwarden, LastPass, Dashlane, and Keeper.

Collected files are encrypted one by one with AES-256-GCM before being stored, then packed into hidden ZIP archives and uploaded to a command-and-control server with libcurl, a networking library commonly used to transfer data over HTTP and HTTPS.

Although CrashStealer targets the same types of data as other macOS infostealers, its native C++ implementation and client-side encryption set it apart, leading the researchers to classify it as a separate malware family.

Persistence and anti-analysis

CrashStealer copies itself to another location and applies a new ad hoc signature to the copied binary. It installs the copy as a LaunchAgent named “com.apple.crashreporter.helper,” allowing it to run each time the user logs in.

The malware also includes code designed to slow analysis, with flattened control flow, strings decrypted only at runtime, and debugger checks placed at more than one point during startup.

Jamf’s report provides indicators of compromise, file names and hashes, delivery infrastructure details, and filesystem artifacts left behind after an infection.

Leave a Reply