CrashStealer is a new macOS information-stealing malware that disguises itself as Apple’s CrashReporter.app to harvest credentials, Keychain data, and crypto wallet information. It spreads through a signed, notarized installer and uses a fake password prompt plus strong client-side encryption before exfiltrating stolen data. #CrashStealer #CrashReporter.app #WerkbitSetup #Jamf
Keypoints
- CrashStealer pretends to be Apple’s CrashReporter.app to avoid suspicion.
- It is delivered through a signed and notarized installer called Werkbit Setup.
- A fake macOS password prompt is used to steal Keychain access.
- The malware targets browsers, password managers, and more than 80 crypto wallet extensions.
- Stolen data is encrypted with AES-256-GCM and sent to a command-and-control server.