Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Microsoft releases Windows 10 KB5099539 extended security update

    July 14, 2026

    Enterprise Asset Management Policy Template for the CIS Controls v8.1 (French)

    July 14, 2026

    Spanish Police take down €140 million cyber fraud ring, arrest four

    July 14, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»New CrashStealer malware poses as Apple crash reporting tool
    News

    New CrashStealer malware poses as Apple crash reporting tool

    adminBy adminJuly 14, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    New CrashStealer malware poses as Apple crash reporting tool

    A new macOS information-stealing malware called CrashStealer pretends to be Apple’s crash-reporting tool to steal credentials, keychain data, and crypto wallets.

    Malware researchers started tracking the malware in May, when it appeared to still be in development, but observed it being used in attacks in early July.

    CrashStealer has a typical infostealer capability set that seems to focus on password managers and more than 80 crypto wallet extensions.

    image

    Notarized malware dropper

    The CrashStealer infostealer’s binary impersonates Apple’s system component by taking the name ‘CrashReporter.app,’ in an attempt to evade users’ scrutiny and potentially security tools.

    Besides the name, the malware also creates a LaunchAgent named ‘com.apple.crashreporter.helper’ and uses the legitimate tool’s icon and metadata to resemble the legitimate tool as much as possible.

    According to researchers at Jamf, a company that offers management and security solutions for Apple devices, the payload is delivered via a signed and Apple-notarized installer (“Werkbit Setup”).

    This allows it to bypass Gatekeeper, the built-in anti-malware on macOS, without any warnings.

    The signed dropper
    The signed dropper
    Source: Jamf Labs

    When launched, the malware displays a fake macOS password prompt to convince users that they are authorizing a legitimate system operation that requires administrator privileges.

    This password can unlock the user’s Keychain, which contains locally stored secrets and acts as macOS’s encrypted password vault, typically containing Safari logins, Wi-Fi passwords, application passwords, private cryptographic keys, certificates, and tokens.

    Password prompt
    Password prompt
    Source: Jamf Labs

    When the password is provided, the malware validates it locally using ‘dscl’ (Directory Service command-line). If it’s incorrect, CrashStealer returns an authentication error, prompting the user to type it again.

    Apart from keychain data, Jamf’s analysis indicates that CrashStealer also targets the following data:

    • Browser credentials and cookies from Chromium-based browsers and Firefox
    • 80 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, Exodus, Keplr, and Solflare
    • 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, and RoboForm
    • Files from user directories such as Documents and Downloads, while intentionally skipping large media files, installers, and system directories

    Before exfiltrating the stolen data, CrashStealer encrypts it using the AES-256-GCM algorithm, an unusually strong method for this type of operation, packages it into hidden ZIP archives, and uploads the compressed data to the command-and-control (C2) server using libcurl.

    Jamf researchers say that despite the overlap in objective with other infostealer families (e.g., Atomic, MacSync and Phexia), CrashStealer is distinct due to its client-side encryption mechanism and its native C++ implementation.

    Jamf did not share details about CrashStealer’s exact initial distribution method, but note that the first-stage payload (Werkbit Setup) is hosted on a fake software site registered in late June.

    Site delivering the CrashStealer loader
    Site delivering the CrashStealer loader
    Source: Jamf Labs

    Downloading the payload is gated behind a meeting PIN, which indicates a campaign limited to visitors who provide the right code.

    Jamf researchers say that the CrashStealer campaign is a careful operation focused on stealth by using a signed and notarized malware dropper and a payload that re-signs itself for persistence.

    The purpose of the re-signing process is to rewrite the code-signature data in the binary, which causes the file to have a different hash despite the code remaining untouched.

    Jamf’s report on CrashStealer shares an extensive set of indicators of compromise that includes the names and hashes for the malicious tools along with details about the delivery infrastructure and filesystem artifacts.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleHackers backdoor Jscrambler npm package with infostealer malware
    Next Article US sanctions VPN, malware providers for enabling ransomware attacks
    admin
    • Website

    Related Posts

    News

    Microsoft releases Windows 10 KB5099539 extended security update

    July 14, 2026
    News

    Enterprise Asset Management Policy Template for the CIS Controls v8.1 (French)

    July 14, 2026
    News

    Spanish Police take down €140 million cyber fraud ring, arrest four

    July 14, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Our Picks

    Microsoft releases Windows 10 KB5099539 extended security update

    July 14, 2026

    Enterprise Asset Management Policy Template for the CIS Controls v8.1 (French)

    July 14, 2026

    Spanish Police take down €140 million cyber fraud ring, arrest four

    July 14, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.