Skip to content

‘CrashStealer’ malware poses as an Apple tool to steal passwords & Mac data

CrashStealer, a newly documented Mac infostealer, used an Apple-notarized meeting app to reach victims before stealing passwords, browser data and cryptocurrency credentials behind a fake system prompt.

Apple iMac on a tidy desk displaying a gray password prompt window for system preferences, with keyboard, mouse, small camera, and tall floor lamp in a softly lit roomCrashStealer fake password prompt

Jamf Threat Labs first spotted a suspicious sample on VirusTotal in early May and began seeing matching detections on customer Macs in early July. Further analysis traced the malware to a signed and Apple-notarized first-stage application called Werkbit, giving researchers a clearer view of how the campaign reached victims.

Werkbit carried a valid Developer ID associated with Emil Grigorov and passed Gatekeeper without an unidentified-developer warning. Apple has since revoked the signing credentials associated with the malicious application after Jamf shared its findings with the company’s security team.

Jamf found no zero-click stage in the samples it analyzed. A victim still had to download and launch Werkbit, allow the delivery chain to run and enter a valid Mac password before CrashStealer could reach its most valuable targets.

Continue Reading on AppleInsider | Discuss on our Forums