Particle.news
Download on the App Store

Notarized macOS Dropper Lets CrashStealer Bypass Gatekeeper

Researchers warn the signed installer unlocks users' keychains to harvest browser logins, crypto wallet extensions and password manager data before encrypting and exfiltrating it.

Overview

  • Jamf Threat Labs confirmed on Monday that a new macOS infostealer called CrashStealer is delivered by a signed, Apple‑notarized disk image named Werkbit.app that passes Gatekeeper checks.
  • The installer mounts a disk image that prompts users to right‑click Open and runs a staged chain that pulls a downloader from a GitHub repo and fetches a secondary payload named CrashReporter.dmg.
  • CrashStealer prompts for and locally validates the victim's login password to unlock the macOS login keychain, then enumerates installed security tools and collects browser credentials, roughly 80 crypto wallet extensions, 14 password managers and files from Documents and Downloads.
  • Collected data is encrypted client‑side with AESGCM, packaged into hidden ZIPs and exfiltrated to an attacker server at 179.43.166.242 while the malware maintains persistence as a LaunchAgent and uses re‑signing, control‑flow flattening, encrypted strings and anti‑debugging to frustrate analysis.
  • Researchers say the delivery domain werkbit.io, GitHub staging and additional shared backends point to a careful, ongoing campaign that may be broader in scale and possibly multi‑platform, so users and administrators should avoid running unsolicited installers and check notarization details and LaunchAgent entries.