Mac malware CrashStealer masquerades as Apple crash reporter to steal secrets

Jamf Threat Labs warns about CrashStealer, a macOS malware that pretends to be Apple’s crash reporting tool via a fake notarized app named Werkbit. It targets over 80 cryptocurrency wallet extensions and 14 password managers (such as 1Password, LastPass, and Dashlane), searches Documents and Downloads for data, and prompts for full-disk access and a system password to access the login keychain. The stolen data is encrypted with AES-256-GCM and sent to the attacker. Apple revoked Werkbit’s signing credentials, but the attack vector shows how notarization can be abused, and the threat could reappear; users should avoid apps that prompt for a password or claim to be CrashReporter.
- CrashStealer Malware Impersonates Apple Tool to Steal Mac Passwords and Crypto MacRumors
- Watch out: New ‘CrashStealer’ Mac malware could nab your passwords Macworld
- New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password The Hacker News
- New Mac malware masquerades as Apple's crash reporter: 3 ways to dodge the threat ZDNET
- ClickLock Stealer: Paste Once, Lose Everything Group-IB
Reading Insights
0
4
9 min
vs 10 min read
94%
1,939 → 107 words
Want the full story? Read the original article
Read on MacRumors