Particle.news
Download on the App Store

CrashStealer Uses Notarized macOS Dropper to Steal Keychain and Wallet Data

Researchers found the malware abuses a signed, Apple‑notarized installer to bypass Gatekeeper and then harvest credentials by impersonating Apple’s crash reporter, signaling a precise, evolving campaign.

Overview

  • Jamf Threat Labs published a technical analysis in mid‑July detailing CrashStealer after researchers observed development samples in May and in‑the‑wild activity by early July.
  • The attack begins with a disk image called “Werkbit Setup” that is signed and notarized so it clears Gatekeeper on first launch and is served from a PIN‑gated site to limit access.
  • Once run, the payload impersonates CrashReporter.app, shows a native password prompt that validates the password with the dscl tool, and uses that password to unlock and copy the user’s login Keychain.
  • CrashStealer collects browser credentials and cookies, about 80 cryptocurrency wallet extensions, 14 password managers, and user files, then encrypts each item with AES‑256‑GCM, bundles them into hidden .zx_*.zip archives, and uploads them to attacker C2 infrastructure.
  • Apple revoked the developer credentials used to notarize the dropper after being notified, researchers published IOCs and hunting artifacts, and defenders are advised to isolate any Mac where the prompt was answered, change exposed passwords from trusted devices, inspect privacy permissions and login items, and consider reinstalling macOS.