CrashStealer Malware Impersonates Apple Tool to Steal Mac Passwords and Crypto
Mac users should watch out for macOS malware called CrashStealer, according to Jamf Threat Labs. The malware impersonates Apple's crash reporting framework, and it's meant to steal all kinds of sensitive information. CrashStealer collects browser data, password manager data, cryptocurrency wallet extensions, and keychain data, and Jamf first noticed it circulating in a fake Apple-notarized app called Werkbit. With notarization, the malware is not stopped by Gatekeeper, which is part of the macOS security system. It targets more than 80 cryptocurrency wallet extensions, and 14 password managers like 1Password, LastPass, and Dashlane. It searches through the Document and Downloads folders to look for information worth collecting. The app looks legitimate and uses a typical macOS install procedure for software downloaded through the web, with the process detailed on Jamf's website. A fake CrashReporter.app is downloaded through Werkbit, and it's meant to impersonate Apple's own crash reporter. A user clicking on the app would likely see it as a legitimate Apple utility. It requests full disk access "for system administration," and uses a native password prompt that looks like a genuine macOS authorization request. The password entered is used to access the login keychain. Data collected is encrypted with AES–256-GCM through Apple's CommonCrypto and sent to the attacker's IP address. Jamf says the way CrashStealer was implemented "shows real care," with the concealment steps setting it apart from standard infostealers. The malware was reported to Apple after first being spotted in May and found actively in use in July. Apple revoked the Werkbit app's signing credentials, so the specific attack vector outlined by Jamf has been disabled, but the malware could surface again. The original version was gated behind a PIN required for installation, suggesting it was aimed at specific people. Apple's notarization system is meant to protect Mac users from malware, and Apple says that notarized apps are checked for malicious components. CrashStealer makes it clear there are methods for hiding malware from Apple's security process. When downloading software, users can protect themselves from CrashStealer by being aware that Apple's crash reporter is built-in. Any download that uses CrashReporter is a red flag, as is an app that asks for a system password right when it's launched.Tag: MalwareThis article, "CrashStealer Malware Impersonates Apple Tool to Steal Mac Passwords and Crypto" first appeared on MacRumors.comDiscuss this article in our forums