Cybersecurity researchers have identified a new macOS information stealer named CrashStealer, which distinguishes itself by being written in native C++ rather than common scripting languages. The malware is distributed via a signed and Apple-notarized dropper disguised as "Werkbit.app," allowing it to bypass macOS Gatekeeper security checks. Access to the malware is uniquely gated behind a meeting PIN on the distribution site, suggesting a targeted or controlled delivery mechanism.
Once active, CrashStealer employs sophisticated techniques to harvest sensitive data, including local password validation and the collection of credentials from browsers, cryptocurrency wallets, and password managers. It ensures persistence as a LaunchAgent and uses AES-GCM encryption for data exfiltration. The malware also features high analysis resistance through control-flow flattening and layered anti-debugging measures, marking a step up from commodity macOS malware.
Top comments (0)