Exclusive Student Offer

Prime for Young Adults

Get a 6-month trial with premium college perks & fast delivery.

Start Free Trial
Listen Anywhere

Audible Standard Trial

Get 30 days of audiobooks free. Cancel anytime, keep your books.

Claim Free Books

Understanding CrashStealer: The New macOS Malware

Recently, a new type of macOS malware called “CrashStealer” has emerged, disguising itself as Apple’s legitimate CrashReporter tool. This information comes from the security team of Jamf, a specialist in mobile device management. Unlike traditional malware, CrashStealer acts as an infostealer, attempting to extract sensitive information such as data from widely-used password managers, the Apple Keychain, and cryptocurrency wallet information on Macs. It even contains a built-in search routine to scour documents and downloads folders for “interesting” files, as noted by Jamf.

How CrashStealer Operates

The developers of CrashStealer employ sophisticated techniques to carry out their malicious activities. After encrypting the stolen files using AES-GCM encryption, they exfiltrate this information to a command-and-control (C&C) server via libcurl. Such methods echo other well-known macOS infostealers like Atomic, but the native C++ implementation and client-side encryption distinguish CrashStealer as a unique malware family.

The malware initially surfaced in a web-distributed application named Werkbit, marketed as a meeting tool but unrelated to a similarly named German software tailored for small to medium enterprises. Initially, the fake Werkbit app held an Apple certificate; however, this Developer Team ID has since been deactivated by Apple after Jamf reported the threat.

Evasion Tactics of the Installer

Unfortunately, incidents of malware sporting legitimate developer IDs are not uncommon. This means that when the software is executed, there’s no warning for the user. The installer does its best to circumvent Gatekeeper verification as well, employing social engineering techniques. It tries to persuade users to run the app through a right-click method—a tactic Apple is gradually closing in on. However, in CrashStealer’s case, this measure was unnecessary, given the already existing certificate.

Targeting Specific Individuals

To further access sensitive information, CrashStealer installs a counterfeit CrashReporter application that mimics Apple’s true CrashReporter, which appears during system crashes. The first time this fake application is launched, it prompts the user to grant full SSD access and enter an administrator password. Once these permissions are granted, it proceeds to access the user’s keychain and the theft of sensitive information begins.

Jamf has expressed concerns that this malware is particularly “sneaky” in its implementation, making it harder to detect compared to regular infostealers. The first indications of its presence began circulating in May, with Jamf discovering active installations as late as July.

Distribution Channels and Infection Process

Information regarding the precise distribution methods is scarce. However, it is plausible that this application was intended for targeted attacks against specific individuals. The counterfeit Werkbit application required a “Meeting ID” in the form of a PIN before installation could begin. The infection process likely unfolded as follows: a victim receives a meeting invite complete with a PIN, leading them to download the app, after which the data theft ensues.

Conclusion

CrashStealer exemplifies the evolving landscape of malware and its ability to impersonate trusted software to deceive users. With increasingly sophisticated tactics, it emphasizes the importance of vigilance when downloading applications and sharing sensitive information. Users must remain cautious and maintain updated security protocols to guard against such threats.

Get Audible 30-Day Free Trial

As an Amazon Associate, we earn from qualifying purchases.