"CrashStealer's delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload," Thijs Xhaflaire, senior threat and detections researcher at Jamf Threat Labs, said in a blog posted on July 13.
CrashStealer: what researchers found in early July
Jamf Threat Labs detected a new macOS infostealer in early July that the researchers have named CrashStealer. Written in C++, the malware is designed to harvest login credentials, cryptocurrency wallet logins and any other data stored on the system or in browsers. The delivery observed by Jamf uses a disk image that impersonates Apple's built-in crash-reporting component and is distributed under the name "Werkbit Setup."
Abuse of a valid Apple developer ID and notarization ticket
Crucial to the attack's stealth is that the disk image and dropper are signed with a valid Apple developer ID and include a notarization ticket. Those attributes allow the dropper to clear Apple Gatekeeper, which the researchers described as "the macOS security feature designed to prevent malware execution on first launch." Once the signed, notarized dropper runs, it fetches, re-signs and launches the payload, according to Jamf's account.
Delivery chain and the GitHub decoding step
Jamf's write-up notes that while the initial mechanism that lures a victim to the disk image has not been detailed, the second stage is explicit: the user is encouraged to run an application that looks like a legitimate installer. That application queries a GitHub API and decodes a jumbled script; after decoding, the script becomes a downloader-installer that fetches the CrashStealer payload. The disk image leverages an application bundle designed to impersonate Apple’s crash-reporter component, further aiding evasion.
Technical defenses and anti-analysis techniques
Jamf's researchers highlighted several engineering choices that distinguish CrashStealer from commodity stealers. The malware uses client-side AES-GCM encryption for collected files and is implemented natively in C++, setting it apart from some other macOS threats. Jamf also notes an emphasis on analysis resistance: control-flow flattening, encrypted strings and layered anti-debugging make reverse-engineering and detection harder, in the researchers’ assessment.
How end users, security teams, and Apple are implicated
- End users: the infostealer presents a native password prompt styled to resemble a genuine macOS authorization request to capture the system login credentials. After confirmation, CrashStealer proceeds to harvest usernames, passwords and any credentials stored in the browser, plus logins for cryptocurrency wallets, password managers and other keychain data.
- Security teams and technologists: Jamf's findings show attackers using a signed, notarized dropper to bypass Gatekeeper and then fetching and re-signing payloads post-launch; defenders will need to watch for suspicious use of valid developer IDs and notarization that precede network retrieval of additional components.
- Apple and platform owners: after confirming that a Developer Team ID was used to distribute malicious payloads, Jamf Threat Labs reported the activity to Apple. Infosecurity has also contacted Apple for comment.
Jamf noted points of overlap between CrashStealer and other macOS threats such as Atomic (AMOS) and MacSync, but emphasized that CrashStealer's native C++ implementation and client-side encryption mark it as a distinct variant. The report's narrative is specific about the steps observed and the design choices that enable stealth: a signed and notarized dropper to clear Gatekeeper, a GitHub-decoded downloader-installer, impersonation of Apple’s crash reporter, and features intended to frustrate analysis.
The discovery raises a practical question left on the record by Jamf's account: how the initial lure delivers the signed disk image to victims. Jamf's detection and its reported transmission to Apple close part of the loop, but the earliest contact vector into user machines is not detailed in the published findings. What is clear from the facts released so far is that attackers are leveraging legitimate platform mechanisms—valid developer IDs and notarization—to make malicious code appear benign at first glance. That combination of careful engineering and platform abuse is what Jamf singled out when it described CrashStealer's delivery chain as showing "real care."
Source: https://www.infosecurity-magazine.com/news/macos-malware-apple-crash-reporter/




