- CrashStealer is a newly discovered macOS infostealer disguised as Apple’s CrashReporter application.
- The malware is distributed through a fake Werkbit Setup website using an Apple notarized installer that bypasses Gatekeeper.
- It steals Keychain data, browser credentials, cookies, files, information from over 80 crypto wallets, and 14 password managers.
- Researchers say its native C++ design and client side encryption make it a distinct and sophisticated macOS threat.
A newly discovered macOS infostealer named CrashStealer is raising fresh concerns for Apple users after researchers found it masquerading as a legitimate Apple crash reporting application. Unlike many common malware campaigns that are quickly blocked by macOS security features, this threat arrives through a signed and Apple notarized installer, allowing it to bypass Gatekeeper without triggering the usual security warnings.
Security researchers at Jamf uncovered the malware and found that it is being distributed through a fake software website known as Werkbit Setup. The website appears to be relatively new and includes an unusual requirement before users can download the installer. Visitors must enter a PIN code, a tactic that likely serves two purposes. It makes the software appear exclusive while also reducing the chances of automated security researchers and analysts examining the malware.
Once users complete the download and launch the application, they unknowingly activate a carefully designed attack chain that gives cybercriminals access to some of the most valuable information stored on their Macs.
Fake Apple prompts trick users into handing over sensitive credentials
After installation, victims are presented with what looks like a genuine macOS password prompt. The application is named CrashReporter.app, making it appear similar to Apple’s legitimate crash reporting service. This familiar appearance increases the likelihood that users will trust the request and enter their system password without suspicion.
The password is not simply used to authorize the application. Instead, it enables the malware to unlock the macOS Keychain, Apple’s secure password management system that stores login credentials, certificates, encryption keys, and other confidential information.
Researchers found that the malware also creates a LaunchAgent named com.apple.crashreporter.helper, allowing it to maintain persistence on the infected device. This means the malicious software can continue running even after the system restarts, making it harder for users to notice or remove.
Once access is established, the malware quietly gathers stored credentials and other valuable data before transmitting everything to an external server controlled by the attackers.
CrashStealer targets browsers, password managers, crypto wallets, and files
CrashStealer is not limited to stealing passwords from Apple’s Keychain. Researchers found that it collects a broad range of information from multiple sources across the system.
Among its primary targets are browser stored usernames, passwords, cookies, and session data that could potentially allow attackers to hijack online accounts without needing login credentials again.
The malware also specifically searches for information linked to more than 80 cryptocurrency wallet extensions, highlighting the growing interest cybercriminals have in digital assets. In addition, it attempts to extract information from 14 password managers, potentially exposing credentials stored across multiple services.
Beyond account information, CrashStealer scans for locally stored files that may contain financial documents, personal records, or other valuable information. This wide ranging collection strategy makes the malware particularly dangerous because a single infection can expose both personal and financial data in one attack.
What makes CrashStealer different from previous macOS infostealers
Researchers noted that CrashStealer shares some characteristics with previously identified macOS threats such as AMOS. However, it also introduces several unique features that distinguish it from existing malware families.
One notable difference is its native C++ implementation, which may improve performance while making analysis more difficult. Jamf researchers also highlighted the malware’s client side encryption mechanism, suggesting that stolen information is encrypted before being transmitted to attacker controlled infrastructure.
Perhaps the most concerning aspect is its use of an Apple notarized installer. Many Mac users rely on Apple’s security ecosystem as an important layer of defense against malicious software. Because the installer is properly signed and notarized, the malware can bypass one of macOS’s primary security checks, creating a false sense of trust for unsuspecting users.
The campaign also demonstrates how attackers continue to refine social engineering techniques rather than relying solely on technical exploits. By presenting familiar Apple branding and convincing password prompts, cybercriminals increase the likelihood that victims will voluntarily provide the credentials needed to compromise their own systems.
While Apple devices continue to benefit from strong built in security protections, incidents like CrashStealer show that users should remain cautious when downloading software from unofficial sources, even if the installer appears legitimate. Verifying software publishers, avoiding unknown download sites, and treating unexpected password prompts with skepticism remain some of the most effective ways to reduce the risk of compromise.
Follow TechBSB For More Updates
