A new macOS infostealer dubbed “CrashStealer” poses as the system’s own crash reporter to trick users and steal credentials, Jamf reported Monday.The malware, written in C++, gains initial access when the user installs a dropper called “Werkbit,” which is disguised as a video conferencing platform. Social media users have previously reported being asked to install Werkbit to attend interviews for dubious work opportunities.The Werkbit Setup disk image contains the Werkbit.app application bundle, which is code signed and notarized, allowing it to execute without triggering macOS’ Gatekeeper. The binary is noted to be signed using the Developer ID “Emil Grigorov (WWB7JA7AQV)”.A window displaying supposed setup instructions appears when the Werkbit Setup image gets mounted, instructing the user to launch the application. Once Werkbit.app gets opened, an executable called veltod fetches a file from GitHub containing a curl command that the dropper then runs to retrieve a shell script from the attacker’s domain.This script fetches the final CrashStealer payload image, which is saved in /tmp as CrashReporter.dmg. After the image gets mounted, the downloader script copies another app bundle from the image and copies it to a hidden directory at /private/tmp/,CrashReporter before detaching the image and deleting the original .dmg, Jamf described. The script also removes CrashStealer’s signature, re-signs it, registers it with Launch Services and ultimately launches it in the background.The CrashReporter.app payload was specifically designed to impersonate Apple’s own crash reporter component, including by using the bundle identifier com.apple.crashreporter and imitating its icon. An Info.plist file included in the app bundle includes Transparency, Consent, and Control (TCC) usage-description strings revealing intention for CrashStealer to access file directories and system privileges; when prompted, a user may believe these requests are coming from legitimate system utilities due to the use of the “CrashReporter” name.“CrashStealer shouldn’t be treated as just another Mac malware story. It’s an identity and access problem. By impersonating a trusted Apple crash-reporting flow, the malware is designed to get users to hand over the credentials, keychain data, and session material attackers need to move beyond the endpoint,” noted Piyush Sharma, CEO and co-founder of Tuskira, in comments to SC Media.CrashStealer begins its credentials and info theft by prompting the user for their password, which is validated and leveraged to unlock Keychain and steal browser data, cryptocurrency wallet details, data from third-party password managers and files from Downloads and Documents folders. The malware checks processes against an embedded list of malware analysis and endpoint security tools before proceeding with collection.The infostealer targets Chromium browser data, about 80 cryptocurrency wallet extensions including MetaMask, Phantom and Coinbase, and 14 password managers including 1Password, Bitwarden and LastPass. For file theft, it recursively walks user directories while excluding large, low-value files such as caches, logs, executables, libraries, installers, archives and videos.“For enterprise teams, you need to know which Macs are infected, but the question that should be asked is: ‘What identities, SaaS apps, cloud roles, code repositories, and production systems could those stolen credentials reach?’,” Sharma said.The harvested data gets encrypted using AES-256-GCM via Apple’s CommonCrypto, with a 32-byte key derived from a passphrase and hard-coded salt with PBKDF2-HMAC-SHA256 over 10,000 iterations. The harvested and encrypted data gets staged at ~/.cache/com.apple.crashreporter/ in individual .cache files with separate staging directories for each targeted data source.Prior to exfiltration, each stage directory is compressed into a ZIP archive with the naming convention “.zx_[eight random hexadecimal characters].zip”. The archives are exfiltrated using libcurl to the command-and-control (C2) endpoint 179.43.166.242.While CrashStealer uses a signed and notarized dropper to circumvent Gatekeeper and employs other evasion measures such as checks for endpoint security processes and debuggers, Jamf notes several key detection opportunities including:“Organizations need to test whether existing controls would detect or block the same path, and continuously validate which identities and systems are reachable if a credential is stolen again,” Sharma said.
- Ad-hoc resigning of the CrashReporter payload by the downloader script.
- Execution of the application bundle from the hidden /private/tmp path.
- Connection to the GitHub repository mgothiclove/pkeys and the payload delivery server at “endpoint-api-v1[.]com.”
- Spawning of the dscl process to verify the user’s password.
- Use of the “.zx_” prefix for stolen data archives, which remain under the ~/.cache/com.apple.crashreporter/ after exfiltration.



