AI Security AI安全 9h ago Updated 2h ago 更新于 2小时前 46

CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks CrashStealer macOS 恶意软件使用经过公证的投放程序绕过 Gatekeeper 检查

CrashStealer is a novel macOS information stealer implemented in native C++, distinguishing itself from common AppleScript or Objective-C wrappers. Attackers utilize an Apple-notarized dropper ("Werkbit.app") to bypass Gatekeeper security checks, distributing the payload via a domain gated by a meeting PIN. The malware employs sophisticated evasion techniques, including control-flow flattening, encrypted strings, and layered anti-debugging mechanisms to resist analysis. It harvests extensive dat CrashStealer是一款原生C++实现的macOS信息窃取木马,利用经过Apple公证的签名下载器绕过Gatekeeper检查。 攻击者通过会议PIN码限制访问权限分发恶意磁盘镜像,降低被广泛扫描发现的概率。 该木马具备本地密码验证、登录钥匙串解锁、反调试及控制流扁平化等高级对抗能力。 窃取范围覆盖主流浏览器、加密货币钱包扩展、密码管理器及文档目录,并使用AES-GCM加密后外传。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • CrashStealer is a novel macOS information stealer implemented in native C++, distinguishing itself from common AppleScript or Objective-C wrappers.
  • Attackers utilize an Apple-notarized dropper ("Werkbit.app") to bypass Gatekeeper security checks, distributing the payload via a domain gated by a meeting PIN.
  • The malware employs sophisticated evasion techniques, including control-flow flattening, encrypted strings, and layered anti-debugging mechanisms to resist analysis.
  • It harvests extensive data from browsers, cryptocurrency wallets, password managers, and the keychain, encrypting the loot with AES-GCM before exfiltration.

Why It Matters

This incident highlights a significant shift in macOS malware tactics, where threat actors are investing in legitimate-looking distribution methods like notarized binaries to evade standard endpoint protections. For security practitioners, it underscores the critical need to look beyond signature-based detection and implement behavioral monitoring and strict application control policies, as even notarized apps can be malicious.

Technical Details

  • Native Implementation: Unlike many commodity stealers, CrashStealer is written in native C++, allowing for deeper integration with macOS APIs and better performance.
  • Notarized Dropper Chain: The initial vector is a disk image named "Werkbit.app" signed with a valid developer ID and notarized by Apple. This allows it to pass Gatekeeper without user intervention.
  • Payload Delivery: Upon execution, the dropper fetches a shell script from a GitHub repository, which then downloads the actual malware payload ("CrashReporter.dmg") to the /tmp directory.
  • Data Exfiltration: The malware validates the user's login password locally to unlock the keychain, collects credentials from ~80 crypto wallets, 14 password managers, and major browsers, then packages them into a ZIP archive encrypted with AES-GCM for transfer to a remote server.
  • Anti-Analysis: The codebase includes obfuscation techniques such as control-flow flattening and encrypted strings to hinder reverse engineering efforts.

Industry Insight

  • Trust in Notarization is Eroding: Security teams must recognize that Apple Notarization ensures binary integrity but does not guarantee benign behavior. Detection strategies should focus on runtime behavior rather than just static signatures or notarization status.
  • Crypto Wallet Targeting: The specific focus on nearly 80 cryptocurrency wallet extensions indicates a high-value target strategy. Organizations and individuals using these wallets should assume compromise is possible and consider hardware wallet isolation or multi-factor authentication enhancements.
  • Supply Chain Risks in Distribution: The use of a PIN-gated download from a seemingly legitimate domain suggests targeted social engineering. Awareness campaigns should emphasize verifying the source of software installations, especially when prompted by unusual access codes or links.

TL;DR

  • CrashStealer是一款原生C++实现的macOS信息窃取木马,利用经过Apple公证的签名下载器绕过Gatekeeper检查。
  • 攻击者通过会议PIN码限制访问权限分发恶意磁盘镜像,降低被广泛扫描发现的概率。
  • 该木马具备本地密码验证、登录钥匙串解锁、反调试及控制流扁平化等高级对抗能力。
  • 窃取范围覆盖主流浏览器、加密货币钱包扩展、密码管理器及文档目录,并使用AES-GCM加密后外传。

为什么值得看

本文揭示了针对macOS生态的高级持续性威胁新手法,特别是利用合法签名和公证机制绕过系统安全防御的技术路径。对于安全从业者和企业IT管理者而言,理解此类“白加黑”或“公证滥用”的攻击链是提升端点检测与响应(EDR)策略的关键。

技术解析

  • 分发与绕过机制:使用名为"Werkbit.app"的已签名且经Apple公证的磁盘镜像作为加载器,携带有效开发者ID以通过Gatekeeper。下载过程受会议PIN码保护,仅向特定目标提供。
  • 执行链与持久化:初始执行后,通过GitHub仓库获取配置并下载第二阶段载荷"CrashReporter.dmg"。恶意软件安装为LaunchAgent以实现持久化,并在运行时进行自我复制和重新签名。
  • 数据收集与加密:支持Chromium系浏览器、约80种加密货币钱包扩展(如MetaMask、Phantom)、14种密码管理器(如1Password、Bitwarden)以及~/Documents和~/Downloads目录文件。所有数据打包为ZIP并使用AES-GCM算法加密。
  • 对抗与分析抵抗:采用原生C++编写,实施控制流扁平化、字符串加密及多层反调试技术。在窃取前会列出已安装的安全和分析工具,并尝试解锁用户登录钥匙串。

行业启示

  • 公证机制的双刃剑效应:攻击者正越来越多地滥用Apple的开发者公证流程来 legitimize 恶意软件。安全团队需加强对异常行为(如非知名应用首次运行后的网络外联)的监控,而非仅依赖签名状态。
  • macOS安全意识的紧迫性:随着远程办公和开发环境向Mac迁移,针对macOS的定制化恶意软件威胁上升。企业应强化终端安全管理,包括限制LaunchAgent的自动加载权限及监控敏感目录访问。
  • 供应链与社交工程结合:通过PIN码限制访问的分发方式表明攻击者倾向于精准打击。防御策略需结合用户教育,警惕看似正规但来源不明的软件更新或会议共享文件。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Research 科学研究