New MacOS Malware Exploits Legitimate Developer ID to Pose as Apple Crash Reporter

Written by

A new form of malware is targeting macOS users by impersonating Apple’s built-in crash-reporting component to trick victims into installing a password-stealing payload.

As detailed by Jamf Threat Labs, CrashStealer is a macOS infostealer designed to harvest login details, cryptocurrency wallets and any other data stored on the system or in the browser.

Written in C++, CrashStealer was first detected in early July. It is delivered through a disk image that impersonates Apple’s built-in crash-reporting component.

The initial way the CrashStealer attack chain begins has not been detailed, but during at least the second stage of the attack, the user is directed to a signed and Apple-notarized dropper, distributed as a disk image named "Werkbit Setup.”

Crucially, this disk image is signed with a valid Apple developer ID and a notarization ticket, which enables it to clear Apple Gatekeeper, the macOS security feature designed to prevent malware execution on first launch.

The user is encouraged to run an application, which looks convincingly like a legitimate software installer. If the user does run the installation, the application reaches out to a GitHub API, which decodes a jumbled script, which after it is decoded becomes a downloader-installer that fetches the CrashStealer payload.

Researchers noted that this process is helped along by how the disk image exploits an application bundle which has been designed to impersonate Apple's built-in crash-reporting component, further helping the malware to evade detection.

Stealing Login Credentials

Once installed, the infostealer displays a native password prompt styled to resemble a genuine macOS authorization request. This is an effort by the attackers to ensure that they have stolen the correct system login credentials for the machine.

With this confirmed, CrashStealer moves towards its true goal: stealing usernames, passwords and any other credentials stored in the browser, as well as stealing logins for cryptocurrency wallets, password managers and other keychain data that provides them with access to accounts.

“CrashStealer's delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload,” Thijs Xhaflaire, senior threat and detections researcher at Jamf Threat Labs, said in a blog posted, published on July 13.

“What sets it apart from the commodity stealer crowd is less what it collects than how it is built: client-side AES-GCM encryption of the collected files, and an emphasis on analysis resistance through control-flow flattening, encrypted strings and layered anti-debugging,” he added.

Researchers note that while CrashStealer appears to have some overlaps with other forms of MacOS malware such as Atomic (AMOS), and MacSync its native C++ implementation and client-side encryption set it apart as a different variant of malware.

After confirming that a Developer Team ID was used to distribute malicious payloads, Jamf Threat Labs reported it to Apple.  Infosecurity has also contacted Apple for comment.

What’s Hot on Infosecurity Magazine?