- Jamf researchers uncover “CrashStealer,” a notarized macOS infostealer disguised as Apple’s CrashReporter
- Distributed via a fake site called “Werkbit Setup”, it bypasses Gatekeeper, installs a LaunchAgent
- It then uses a fake password prompt to unlock Keychain, exfiltrating credentials, cookies, files, and data from 80 crypto wallets and 14 password managers
A new macOS infostealer has been spotted in the wild, masquerading as an Apple crash reporting tool, experts have warned.
Called CrashStealer, this C++ infostealer was designed to nab login credentials, keychain information, as well as data related to more than 80 cryptocurrency wallets.
Cybersecurity researchers Jamf published an in-depth report on the malware, noting CrashStealer is most likely distributed via a fake software site that was only registered recently.
Unlocking Keychain
Victims who land on the site (either via a social media recommendation or search engine results) need to know the PIN code before initiating the download. This was most likely done to avoid analyst scrutiny, as well as to increase perceived credibility and a sense of exclusivity.
Usually, apps downloaded from third-party sources are scanned by Gatekeeper, Apple’s built-in security system. However, Jamf says that this payload is delivered via a signed and Apple-notarized installer and distributed as a disk image named “Werkbit Setup”, which allowed it to bypass Gatekeeper without any warnings.
Those that download and run the program will get a binary named ‘CrashReporter.app’, which will create a LaunchAgent (‘com.apple.crashreporter.helper’), and will see a fake macOS password prompt.
That prompt unlocks the user’s Keychain where most of their secrets are stored (passwords, private cryptographic keys, and more) and then exfiltrates all information to a third-party server.
Besides Keychain data, the CrashReporter malware also pulls browser credentials and cookies from most browsers, data from 80 cryptocurrency wallet extensions, 14 password managers, locally stored files, and more.
Jamf said CrashReporter overlaps, to some extent, with other known infostealers (AMOS, for example), but is still unique enough given its client-side encryption mechanism, as well as the native C++ implementation.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
