Announcements
We ıntegrate ınformatıon ın lıfe

  • DOLAR
    %0,03
  • EURO
    %0,21
  • ALTIN
    %-0,75
  • BIST
    %0,81
Password and Data Theft on Macs: What is CrashStealer?

Password and Data Theft on Macs: What is CrashStealer?

CrashStealer malware, aimed at Mac users, steals personal data and passwords by imitating the crash reporting tool.

A new information thief named CrashStealer has emerged that threatens Mac users. This malicious software imitates Apple’s crash reporting tool; It captures Mac login password, Keychain data, browser information, password managers, personal documents and cryptocurrency wallets.

It is noteworthy that the first application used in the attack carries a valid developer certificate and is notarized by Apple. For this reason, the application can run without being blocked by macOS’s Gatekeeper security system at startup.

CrashStealer emulates Apple’s CrashReporter app

CrashStealer was first detected in a suspicious macOS document uploaded to VirusTotal in May 2026. The deficiencies found in the first samples showed that the malicious software was now in the development stage.

It was determined that the attack began to be used actively with the new versions seen in real systems at the beginning of July. The malicious software was developed directly in C++ and included a special class called “MacOSData” in its codes.

The attack starts with a disk image distributed under the name “Werkbit Setup”. The document includes an application called Werkbit.app and an executable component called “veltod”.

The application can run on both Apple Silicon and Intel processor Mac models. Werkbit was signed with a valid Apple Developer ID certificate registered to “Emil Grigorov” and went through Apple’s notarization process.

The disc mold itself was also signed separately. Thus, when the user opened the application, he did not encounter the standard security warnings that macOS shows for unsigned or unverified software.

Werkbit was distributed through a special website designed as a meeting and collaboration platform. The meeting PIN had to be entered in order to download the application on the site, which was registered at the end of June 2026.

With this technique, the harmful document was not made publicly available to everyone who visited the site. Only users with the correct PIN code given by the attackers were able to access the download link.

Logos of various well-known companies were used on the website. However, the Werkbit application did not have a real meeting, view call or collaboration feature.

After the disk image is opened, the user is greeted by a specially prepared image screen. You are asked to right-click on the application on the screen and use the “Open” option.

Since Werkbit is actually notarized by Apple, it does not need such a process to bypass Gatekeeper. The instructions are used as part of an invalid suram process that directs the user to run the application.

Working principle of the malware and the data it targets

After the application is opened, it connects to the “mgothiclove/pkeys” repository on GitHub and downloads the document named “sys.cache”. The curl command extracted from the document brings the second-stage script on the attackers’ server to the system.

The script’s commands are hidden by three other Base64 layers. Commands are decoded during execution and transferred directly to the Bash shell, and are not saved to disk in plain text.

In the second step, the actual harmful document named CrashReporter.dmg is downloaded to the temporary folder of the Mac. The disk image is connected to the system without being displayed to the user, and the CrashReporter.app in it is copied to a closed folder named “.CrashReporter”.

The file’s quarantine marks are cleared and its existing signature is removed. The application is then signed again locally and saved to the macOS Launch Services system.

The CrashReporter.app name, app icon, and package ID “com.apple.crashreporter” mimic Apple’s actual crash reporting component. The malicious software also creates a LaunchAgent named “com.apple.crashreporter.helper”.

When the user checks running processes or background services, he encounters names that appear to belong to Apple. The application continues to run in the background without appearing on the Dock.

Once opened, CrashStealer displays a password window that resembles the actual authorization screen of macOS. The window says that broad system access is required for maintenance and crash reporting processes.

The password entered by the user is controlled locally via macOS’ built-in “dscl” command. When the wrong password is entered, an error message is displayed and the password is requested again.

This process continues until the real password is entered. The malicious software thus obtains the user’s real Mac login password instead of a random text.

The compromised password is used to open the user’s login Keychain database. Keychain may include Safari login information, Wi-Fi passwords, application accounts, certificates, access tokens and private cryptographic keys.

The opened Keychain database is copied to an unknown working folder. The user’s Mac password is also saved in a different document.

CrashStealer also scans the profile folders of Chromium-based internet browsers. Google Chrome, Brave, Microsoft Edge, Opera, Opera GX, Vivaldi, Chromium and Naver Whale are among the browsers covered by the raid.

Login information and add-on data in Firefox are also collected. By using SQLite backup functions, locked databases of open browsers can be accessed.

The malware’s target list includes approximately 80 cryptocurrency wallet extensions. MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare and Backpack are among them.

Different wallet extensions used in the Solana, Cosmos, TON, Sui, Aptos and NEO ecosystems are also scanned. Wallet data in browser profiles is packaged differently than other account information.

CrashStealer also looks for information on 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass and RoboForm.

The malware does not try to open password manager applications directly. It examines browser extensions, local information folders and relevant user profiles.

Personal documents in the Documents and Downloads folders are also included in the scope of the attack. However, not all documents in the system are copied randomly.

Caches, log files, trash, application status documents, Git repositories, and development folders are skipped. Applications, executables, system libraries, large archives and images are also excluded, along with DMG, ISO and PKG documentation.

The collected information is not kept openly on disk. Each document is encrypted with the AES-256-GCM method using Apple’s CommonCrypto infrastructure.

The encryption key is generated with 10 thousand types via PBKDF2-HMAC-SHA256. Browser information, Keychain records, wallet data, password managers and system information are packaged in different closed ZIP archives.

The prepared archives are sent to the attackers’ command and control server via libcurl. In the first examples, the server address was clearly included in the application’s Info.plist document.

In newer versions the server address has been removed and sensitive strings moved inside encrypted code blocks. The code structure and data collection techniques of the malicious software have been regularly changed in new versions.

CrashStealer can continue to run after the Mac has restarted. To do this, it copies itself to the user’s Library/Caches folder and is launched at every login via the LaunchAgent it creates.

If the process closes with an error, it is run again by the launchd service of macOS. The application’s outputs are directed to the “/dev/null” location and no window is shown to the user.

Unlike malware, it also carries various precautions against engineering work. The code flow is complicated, document paths and server addresses are stored in encrypted strings.

It is checked in multiple stages whether a debugger is running in the system. If the debugger is detected, the application is closed before harmful processes begin.

Security software, endpoint protection tools and malicious software analysis programs installed on the Mac are also examined. The version of these applications and the space they occupy on the disk are checked.

The developer account associated with Werkbit was reported to Apple and the signing information used in the app was revoked. More than one domain name and management panel with contact with the attack infrastructure was also detected.

File paths and components for Windows systems were found in some domains. It is believed that the attackers prepared the same method for different operating systems.

Mac users should not run suspicious software documents called Werkbit, Werkbit Setup or CrashReporter. If an unexpected application asks for the Mac login password, the window should be closed and the process terminated.

Users who run Werkbit and enter information on the password screen must change their account passwords on a clean device. Open sessions should be closed and two-factor authentication should be enabled on all supported accounts.

If the crypto wallet private keys or recovery promises are stored on the Mac, the existing wallet should not be considered safe. Assets need to be transferred to a clean wallet created with new keys.

What do you think about this new type of malicious software?

Social Media Share:

TOGETHER FOR A LOOK

Can you share with us your comment?