Apple: This new macOS infostealer poses as an Apple crash reporting tool to try and steal all your valuable data

Apple: This new macOS infostealer poses as an Apple crash reporting tool to try and steal all your valuable data

New macOS Infostealer "CrashStealer" Bypasses Gatekeeper, Targets Keychain and Crypto Wallets

Researchers at Jamf have identified a sophisticated macOS infostealer, dubbed CrashStealer, disguised as Apple’s legitimate CrashReporter tool. The malware, written in C++, is distributed via a fake website called "Werkbit Setup" and leverages an Apple-notarized installer to evade Gatekeeper, Apple’s built-in security mechanism.

Once executed, the malware deploys a LaunchAgent (com.apple.crashreporter.helper) and triggers a fake macOS password prompt to unlock the victim’s Keychain, exfiltrating stored credentials, cryptographic keys, and other sensitive data. CrashStealer also targets browser credentials and cookies, 80 cryptocurrency wallet extensions, and 14 password managers, along with locally stored files.

The fake "Werkbit Setup" site requires a PIN code for downloads, likely to avoid detection by security analysts and create a false sense of exclusivity. While Jamf notes similarities to other macOS infostealers like AMOS, CrashStealer stands out due to its client-side encryption and native C++ implementation.

The discovery highlights the growing threat of notarized malware on macOS, which can bypass traditional security checks while harvesting sensitive data from unsuspecting users.

Source: https://www.techradar.com/pro/security/this-new-macos-infostealer-poses-as-an-apple-crash-reporting-tool-to-try-and-steal-all-your-valuable-data

Apple TPRM report: https://www.rankiteo.com/company/apple

"id": "app1784046246",
"linkid": "apple",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'type': 'Individual users'}],
 'attack_vector': 'Malicious installer (Apple-notarized)',
 'data_breach': {'data_encryption': 'Client-side encryption',
                 'data_exfiltration': 'Yes',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Credentials',
                                              'Cryptographic keys',
                                              'Browser cookies',
                                              'Cryptocurrency wallet data',
                                              'Password manager data',
                                              'Locally stored files']},
 'description': 'Researchers at Jamf have identified a sophisticated macOS '
                'infostealer, dubbed CrashStealer, disguised as Apple’s '
                'legitimate CrashReporter tool. The malware, written in C++, '
                "is distributed via a fake website called 'Werkbit Setup' and "
                'leverages an Apple-notarized installer to evade Gatekeeper. '
                'Once executed, the malware deploys a LaunchAgent and triggers '
                'a fake macOS password prompt to unlock the victim’s Keychain, '
                'exfiltrating stored credentials, cryptographic keys, and '
                'other sensitive data. CrashStealer also targets browser '
                'credentials and cookies, 80 cryptocurrency wallet extensions, '
                'and 14 password managers, along with locally stored files. '
                "The fake 'Werkbit Setup' site requires a PIN code for "
                'downloads, likely to avoid detection by security analysts. '
                'The discovery highlights the growing threat of notarized '
                'malware on macOS.',
 'impact': {'data_compromised': 'Credentials, cryptographic keys, browser '
                                'cookies, cryptocurrency wallet data, password '
                                'manager data, locally stored files',
            'identity_theft_risk': 'High',
            'payment_information_risk': 'High',
            'systems_affected': 'macOS systems'},
 'initial_access_broker': {'entry_point': "Fake 'Werkbit Setup' website"},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Growing threat of notarized malware on macOS; need for '
                    'enhanced security measures to detect and prevent '
                    'infostealers bypassing Gatekeeper.',
 'motivation': 'Data theft, financial gain',
 'post_incident_analysis': {'root_causes': 'Apple-notarized malicious '
                                           'installer bypassing Gatekeeper; '
                                           'fake password prompt to access '
                                           'Keychain'},
 'recommendations': 'Users should verify the legitimacy of installers, avoid '
                    'downloading software from untrusted sources, and monitor '
                    'Keychain access prompts. Organizations should implement '
                    'additional security layers to detect notarized malware.',
 'references': [{'source': 'Jamf'}],
 'response': {'third_party_assistance': 'Jamf (researchers)'},
 'title': "New macOS Infostealer 'CrashStealer' Bypasses Gatekeeper, Targets "
          'Keychain and Crypto Wallets',
 'type': 'Infostealer',
 'vulnerability_exploited': 'Gatekeeper bypass via notarized malware'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.