Cybersecurity researchers at Jamf Threat Labs have uncovered a new macOS information stealer named CrashStealer, which uses a signed and Apple-notarized dropper to bypass Gatekeeper checks. The malware is distributed via a disk image named ‘Werkbit.app’ from the domain ‘werkbit[.]io’, gated behind a meeting PIN to limit exposure. Once executed, it retrieves a shell script from a GitHub repository, downloads the main payload ‘CrashReporter.dmg’, and establishes persistence as a LaunchAgent.
CrashStealer is implemented in native C++ and validates the victim’s login password locally before harvesting data. It collects credentials from Chromium-family browsers (Chrome, Brave, Edge, Opera, Vivaldi, etc.), roughly 80 cryptocurrency wallet extensions (MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, Backpack), 14 password managers (1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, RoboForm), and files from ~/Documents and ~/Downloads directories. The stolen data is encrypted with AES-GCM and exfiltrated via libcurl to an attacker-controlled server at 179.43.166[.]242.
The malware also lists installed security and analysis tools, resists analysis through control-flow flattening, encrypted strings, and anti-debugging techniques. The discovery of additional domains and shared backend infrastructure suggests CrashStealer is part of a larger, multi-platform campaign.
Malware: CrashStealer
Companies: Jamf
Original source: thehackernews.com