• Home
  • Apps
  • Mac
  • macOS
  • News
  • New Infostealer Malware Disguises Itself as Apple Tool, Steals Mac Passwords and Crypto

New Infostealer Malware Disguises Itself as Apple Tool, Steals Mac Passwords and Crypto

New Infostealer Malware Disguises Itself as Apple Tool, Steals Mac Passwords and Crypto

Mac users will want to be aware for a new macOS infostealer malware called CrashStealer, according to Jamf Threat Labs. The malware poses as Apple’s crash reporting framework, and steals loads of personal information if set loose on your Mac.

CrashStealer gleans password manager data, browser data, keychain data, cryptocurrency wallet extensions, and more. Jamf says it first discovered the malware in a fake Apple-notarized app called Werkbit. Since the app appears to be notarized, Gatekeeper does not block it. Gatekeeper is an important part of the macOS security system.

The bad guy developed code targets over 80 cryptocurrency wallet extensions, searches through the Document and Downloads folders, and also targets 14 password managers like 1Password, LastPass, and Dashlane.

The app looks legitimate and uses a typical macOS install procedure for software downloaded through the web, with the process detailed on Jamf’s website.

Unlike much of the commodity stealer activity on macOS, which is built on AppleScript droppers or thin Objective-C wrappers, CrashStealer is implemented in native C++ around an internal class the authors named MacOSData. It validates the victim’s login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself. Although its objectives overlap with families such as Atomic (AMOS), MacSync and Phexia, its native C++ implementation and client-side encryption set it apart, and we track it as a distinct family rather than a variant.

Jamf says the way CrashStealer was implemented “shows real care,” with the concealment steps setting it apart from standard infostealers. Jamf reported the malware to Apple after first being spotted in May and found actively in use in July.

Apple has since revoked the Werkbit app’s signing credentials, so the specific attack vector outlined by Jamf has been disabled, although the malware could be modified and resurface. The original version was gated behind a PIN that was required for installation, indicating it had a specific customer target group.

For more information about this malware, visit the Jamf website.