CrashStealer Malware Poses As Apple Crash Reporter To Hijack Macs

macos crashstealer malware hero
Many Mac users believe that they don’t need to worry about security because macOS is more secure and a smaller platform that isn’t worth targeting, but that’s just not true. A new piece of malware, dubbed CrashStealer, was discovered by the researchers at Jamf Threat Labs and it has proven to be a cut above most commodity malware.

CrashStealer is capable of skirting past macOS security features. To get past the macOS Gatekeeper, the dropper carries a valid developer ID in addition to a notarization ticket that enables it to launch without raising any security flags. The dropper then signs the payload, which is downloaded from the attacker’s infrastructure, to continue bypassing security checks.

Once the payload is downloaded it masquerades as the macOS Crash Reporter, which presents users with various error messages. These messages request administrator credentials in order to fix whatever issue a user might be experiencing, which the malware then uses to begin pilfering valuable user data.

It also goes to great lengths to deceive users during its installation too. It's disguised at a legitimate application, and its install flow looks professional, including well designed graphics and step-by-step instructions on how to properly install it. This includes notifying users to carry out a few extra steps to ensure that it slides by Gatekeeper undetected.

macos crashstealer malware body

CrashStealer snatches a wide variety of data from a compromised system. It targets the operating system’s keychain database, browser data including cryptocurrency wallet extensions, and searches the systems for popular password managers such as 1Password, LastPass, Bitwarden and NordPass, though it deliberately skips over larger data files like pictures and movies to minimize the size of the data it exfiltrates.

This new malware is further proof that macOS users should be more concerned about security, and need to be cautious when installing applications that are obtained from outside the macOS App Store.
Alan Velasco

Alan Velasco

When Alan isn’t watching his favorite streamers on Twitch he’s writing about tech, gaming and cybersecurity.
 
Opinions and content posted by HotHardware contributors are their own.