CrashStealer Malware Poses As Apple Crash Reporter To Hijack Macs
CrashStealer is capable of skirting past macOS security features. To get past the macOS Gatekeeper, the dropper carries a valid developer ID in addition to a notarization ticket that enables it to launch without raising any security flags. The dropper then signs the payload, which is downloaded from the attacker’s infrastructure, to continue bypassing security checks.
Once the payload is downloaded it masquerades as the macOS Crash Reporter, which presents users with various error messages. These messages request administrator credentials in order to fix whatever issue a user might be experiencing, which the malware then uses to begin pilfering valuable user data.
It also goes to great lengths to deceive users during its installation too. It's disguised at a legitimate application, and its install flow looks professional, including well designed graphics and step-by-step instructions on how to properly install it. This includes notifying users to carry out a few extra steps to ensure that it slides by Gatekeeper undetected.

CrashStealer snatches a wide variety of data from a compromised system. It targets the operating system’s keychain database, browser data including cryptocurrency wallet extensions, and searches the systems for popular password managers such as 1Password, LastPass, Bitwarden and NordPass, though it deliberately skips over larger data files like pictures and movies to minimize the size of the data it exfiltrates.
This new malware is further proof that macOS users should be more concerned about security, and need to be cautious when installing applications that are obtained from outside the macOS App Store.