Cybersecurity experts have identified a novel threat to macOS users in the form of a new information stealer, CrashStealer. This malware is adept at exfiltrating sensitive data from affected devices, posing a significant threat to user security.
CrashStealer’s Unique Implementation
Unlike typical information stealers that leverage AppleScript or Objective-C, CrashStealer is uniquely implemented in native C++. This was disclosed by Jamf Threat Labs, which highlighted the malware’s capability to validate login credentials and collect data from browsers, cryptocurrency wallets, password managers, and keychain services. The stolen data is encrypted using AES-GCM and transmitted using libcurl, ensuring both security and persistence by re-signing itself.
Distribution and Execution Strategy
CrashStealer is disseminated via a notarized dropper, distributed as a disk image file named “Werkbit.app.” This file, along with its binary, carries a valid developer ID, allowing it to bypass macOS Gatekeeper checks. The file originates from the domain “werkbit[.]io,” registered in June 2026, and requires a specific meeting PIN for download, indicating a targeted distribution approach.
Upon mounting, users are prompted to execute the app, leading to the retrieval of a “sys.cache” file from a GitHub repository. This file facilitates further payload delivery by executing a script that downloads and stages an additional component named “CrashReporter.dmg,” stored in the “/tmp” directory.
Data Collection and Security Measures
Once deployed, CrashStealer establishes itself as a LaunchAgent, resisting analysis, and prompting for user credentials. It uses these credentials to access the login keychain, listing installed security tools before extracting data from browsers, cryptocurrency wallets, and password managers.
The malware targets credentials from browsers such as Google Chrome, Brave, and Microsoft Edge, as well as data from approximately 80 cryptocurrency wallet extensions and 14 password managers. The collected information is packaged into a ZIP archive, which is sent to a server controlled by the attacker.
Jamf notes that the sophistication of CrashStealer lies in its execution: it uses client-side AES-GCM encryption, control-flow flattening, encrypted strings, and anti-debugging techniques, setting it apart from other malicious software.
As cybersecurity threats continue to evolve, macOS users are advised to remain vigilant and ensure their systems are protected against such advanced threats. Continuous updates and security awareness are crucial to safeguarding sensitive information from malicious actors.
