CrashStealer macOS Malware Uses Apple Notarized Dropper to Bypass Gatekeeper and Steal Sensitive Data

CrashStealer macOS Malware Uses Apple Notarized Dropper to Bypass Gatekeeper and Steal Sensitive Data

Cybersecurity researchers have identified a new macOS information stealing malware named CrashStealer that uses an Apple notarized installer to bypass built in Gatekeeper security checks before collecting sensitive information from compromised devices. The malware was discovered by Jamf Threat Labs, which noted that CrashStealer differs from many existing macOS information stealers because it is written in native C++ rather than relying on AppleScript droppers or Objective C wrappers. According to the researchers, the malware validates a victim’s login password locally before harvesting data, gathers information from browsers, cryptocurrency wallets, password managers, and the macOS keychain, encrypts the stolen information using AES GCM encryption before transmitting it through libcurl, and maintains persistence by copying and re signing itself on the infected system. Researchers believe the malware demonstrates a more advanced approach to data theft while remaining focused on credential collection and financial information.

The infection begins through a signed and Apple notarized application distributed as a disk image named “Werkbit.app.” Because both the disk image and its executable carry a valid Apple developer ID registered under Emil Grigorov (WWB7JA7AQV), the installer successfully passes Gatekeeper verification, making it appear trustworthy to users. Researchers traced the distribution to the domain “werkbit.io,” which was registered in June 2026. Access to the installer is restricted through a meeting PIN requirement, meaning only visitors with the correct code can download the application. Jamf Threat Labs said this delivery method suggests a more controlled distribution process compared to typical mass malware campaigns. Further investigation also uncovered additional domains and shared backend infrastructure connected to the same operation, indicating that CrashStealer may be part of a broader campaign targeting multiple operating systems. After the disk image is mounted, users are instructed to manually right click the application and choose the Open option to launch it. Once executed, the embedded executable named “veltod” contacts a GitHub repository to retrieve a file called “sys.cache,” which contains instructions used to download a shell script that stages the next malware payload, “CrashReporter.dmg,” into the temporary directory.

After installation, CrashStealer establishes persistence by creating a LaunchAgent, allowing it to automatically run whenever the system starts. The malware also includes several techniques designed to resist analysis while presenting victims with a password prompt that validates their login credentials locally. Once the correct password is entered, CrashStealer unlocks the macOS login keychain and proceeds to gather information from across the device. Researchers found that the malware targets credentials stored in Chromium based browsers including Google Chrome, Brave, Microsoft Edge, Opera, Opera GX, Vivaldi, Chromium, and Naver Whale. It also searches for approximately 80 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, and Backpack. In addition, CrashStealer extracts information from 14 password management applications such as 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, and RoboForm. The malware also copies files from the user’s Documents and Downloads folders before packaging all harvested information into a ZIP archive for transmission to an attacker controlled server.

Jamf Threat Labs said the malware’s delivery process demonstrates careful planning because it combines a signed and notarized installer with a staged payload that quietly downloads, re signs, and launches the main malware after bypassing Apple’s security protections. While the types of information collected are similar to those targeted by other information stealers, researchers noted that CrashStealer distinguishes itself through its implementation and defensive capabilities. The malware encrypts stolen information on the victim’s device using AES GCM before sending it to its command server, making intercepted data more difficult to analyze. It also incorporates multiple analysis resistance techniques, including encrypted strings, control flow flattening, and layered anti debugging mechanisms that complicate reverse engineering efforts by security researchers. According to Jamf Threat Labs, these technical features, combined with its notarized delivery chain and broad credential harvesting capabilities, make CrashStealer a notable addition to the growing landscape of macOS focused cyber threats and highlight the continued evolution of malware designed to evade platform security controls while targeting sensitive personal and financial information.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment