A new macOS information-stealing malware called CrashStealer has been discovered, posing as Apple’s crash reporting tool to steal credentials, keychain data, and crypto wallets. The malware, which was first tracked in May while still in development, has been used in attacks since early July.
### Malware Capabilities
CrashStealer has a typical infostealer capability set that focuses on password managers and over 80 crypto wallet extensions. The malware’s binary impersonates Apple’s system component by taking the name ‘CrashReporter.app,’ in an attempt to evade users’ scrutiny and potentially security tools.
In addition to its name, the malware also creates a LaunchAgent named ‘com.apple.crashreporter.helper’ and uses the legitimate tool’s icon and metadata to resemble the legitimate tool as much as possible. When launched, the malware displays a fake macOS password prompt to convince users that they are authorizing a legitimate system operation that requires administrator privileges.
### Data Exfiltration
When the password is provided, the malware validates it locally using ‘dscl’ (Directory Service command-line). If it’s incorrect, CrashStealer returns an authentication error, prompting the user to type it again. Apart from keychain data, Jamf’s analysis indicates that CrashStealer also targets the following data:
* Browser credentials and cookies from Chromium-based browsers and Firefox 80
* Cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, Exodus, Keplr, and Solflare
* 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, and RoboForm
* Files from user directories such as Documents and Downloads
Before exfiltrating the stolen data, CrashStealer encrypts it using the AES-256-GCM algorithm, packages it into hidden ZIP archives, and uploads the compressed data to the command-and-control (C2) server using libcurl.
### Distinct Features
Jamf researchers say that despite the overlap in objective with other infostealer families (e.g., Atomic, MacSync and Phexia), CrashStealer is distinct due to its client-side encryption mechanism and its native C++ implementation. The malware’s re-signing process allows it to rewrite the code-signature data in the binary, causing the file to have a different hash despite the code remaining untouched.
### Initial Distribution Method
Jamf researchers did not share details about CrashStealer’s exact initial distribution method, but note that the first-stage payload (Werkbit Setup) is hosted on a fake software site registered in late June. Downloading the payload is gated behind a meeting PIN, which indicates a campaign limited to visitors who provide the right code.
### Conclusion
The CrashStealer campaign is a careful operation focused on stealth by using a signed and notarized malware dropper and a payload that re-signs itself for persistence. Security teams should be aware of this new threat and take necessary precautions to protect their macOS devices.
Source: Original article