Malware News Jamf Threat Labs discovers and investigates CrashStealer, a C++ macOS infostealer that impersonates Apple's crash-reporting framework.

Khushal

Level 16
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
742
4,915
1,469
Meet CrashStealer. This one takes delivery more seriously than most, a signed and Apple-notarized dropper that's pulling its second stage payload down through GitHub.The payload is a native C++ stealer with client-side AES-GCM encryption and layered anti-analysis.Check out our writeup for additional details and indicators of compromise.

Introduction​

In early May, a suspicious macOS sample uploaded to VirusTotal surfaced through our sample-processing pipeline, and Jamf Threat Labs began tracking it. It impersonated Apple's crash reporting framework and, at that point, looked like an infostealer still in development. By early July we were seeing in-the-wild detections of the payload matching one of our in-house rules, indicating the project had matured from development into active use. We track this malware under the name CrashStealer.

Unlike much of the commodity stealer activity on macOS, which is built on AppleScript droppers or thin Objective-C wrappers, CrashStealer is implemented in native C++ around an internal class the authors named MacOSData. It validates the victim's login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself. Although its objectives overlap with families such as Atomic (AMOS), MacSync and Phexia, its native C++ implementation and client-side encryption set it apart, and we track it as a distinct family rather than a variant.

We have since identified the stage that precedes the payload: a signed and Apple-notarized dropper, distributed as a disk image named "Werkbit Setup," that retrieves the CrashStealer payload from attacker infrastructure and launches it. Because the dropper carries a valid Developer ID and a stapled notarization ticket, it clears Gatekeeper on first launch, in contrast to the ad-hoc-signed payload it installs.

Throughout this post, we examine CrashStealer as we observed it and highlight the behaviors most relevant from a defender's perspective.
 
Key defensive takeaways

This report highlights an important macOS threat model: a valid Developer ID signature and Apple notarization do not prove that an application is trustworthy. In this case, the dropper reportedly used those mechanisms to pass Gatekeeper checks before retrieving and launching a separate payload.

Notable behaviors described in the analysis include:

  • A disk image distributed as “Werkbit Setup”
  • A signed and notarized dropper
  • Payload retrieval from GitHub or attacker-controlled infrastructure
  • A native C++ information-stealing payload
  • Local login-password validation before collection
  • Targeting of browsers, cryptocurrency wallets, password managers, and Keychain data
  • AES-GCM encryption of collected data before exfiltration
  • Self-copying and re-signing for persistence

Client-side encryption is primarily intended to hinder inspection of stolen data; it does not make the activity legitimate or reduce the severity of the compromise. Likewise, a GitHub download location should not be treated as evidence that a payload is safe.

For suspected exposure, avoid launching the application again and preserve the disk image, application bundle, relevant hashes, and system logs for analysis. Run a scan with reputable, up-to-date macOS security software, review Login Items and other persistence locations, and change passwords from a known-clean device. Prioritize email, password-manager, cryptocurrency, and Apple Account credentials, and revoke active sessions or tokens where supported.

The exact indicators of compromise should be taken from the original Jamf report and checked against local telemetry. A VirusTotal result can provide additional context, but a clean or low-detection result alone cannot establish that a sample is safe.