CrashStealer Malware Impersonates Apple Tool to Steal Mac Passwords and Crypto

6 hours ago 2
Mac users should ticker retired for macOS malware called CrashStealer, according to Jamf Threat Labs. The malware impersonates Apple's clang reporting framework, and it's meant to bargain each kinds of delicate information.


CrashStealer collects browser data, password manager data, cryptocurrency wallet extensions, and keychain data, and Jamf archetypal noticed it circulating successful a fake Apple-notarized app called Werkbit. With notarization, the malware is not stopped by Gatekeeper, which is portion of the macOS information system.

It targets much than 80 cryptocurrency wallet extensions, and 14 password managers similar 1Password, LastPass, and Dashlane. It searches done the Document and Downloads folders to look for accusation worthy collecting.

The app looks morganatic and uses a emblematic macOS instal process for bundle downloaded done the web, with the process detailed connected Jamf's website. A fake CrashReporter.app is downloaded done Werkbit, and it's meant to impersonate Apple's ain clang reporter. A idiosyncratic clicking connected the app would apt spot it arsenic a morganatic Apple utility.

It requests afloat disk entree "for strategy administration," and uses a autochthonal password punctual that looks similar a genuine macOS authorization request. The password entered is utilized to entree the login keychain. Data collected is encrypted with AES–256-GCM done Apple's CommonCrypto and sent to the attacker's IP address.

Jamf says the mode CrashStealer was implemented "shows existent care," with the concealment steps mounting it isolated from modular infostealers. The malware was reported to Apple aft archetypal being spotted successful May and recovered actively successful usage successful July.

Apple revoked the Werkbit app's signing credentials, truthful the circumstantial onslaught vector outlined by Jamf has been disabled, but the malware could aboveground again. The archetypal mentation was gated down a PIN required for installation, suggesting it was aimed astatine circumstantial people.

Apple's notarization system is meant to support Mac users from malware, and Apple says that notarized apps are checked for malicious components. CrashStealer makes it wide determination are methods for hiding malware from Apple's information process.

When downloading software, users tin support themselves from CrashStealer by being alert that Apple's clang newsman is built-in. Any download that uses CrashReporter is simply a reddish flag, arsenic is an app that asks for a strategy password close erstwhile it's launched.
Tag: Malware

This article, "CrashStealer Malware Impersonates Apple Tool to Steal Mac Passwords and Crypto" archetypal appeared connected MacRumors.com

Discuss this article successful our forums

Read Entire Article