CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks
CrashStealer is a novel macOS information stealer implemented in native C++, distinguishing itself from common AppleScript or Objective-C wrappers. Attackers utilize an Apple-notarized dropper ("Werkbit.app") to bypass Gatekeeper security checks, distributing the payload via a domain gated by a meeting PIN. The malware employs sophisticated evasion techniques, including control-flow flattening, encrypted strings, and layered anti-debugging mechanisms to resist analysis. It harvests extensive dat
Analysis
TL;DR
- CrashStealer is a novel macOS information stealer implemented in native C++, distinguishing itself from common AppleScript or Objective-C wrappers.
- Attackers utilize an Apple-notarized dropper ("Werkbit.app") to bypass Gatekeeper security checks, distributing the payload via a domain gated by a meeting PIN.
- The malware employs sophisticated evasion techniques, including control-flow flattening, encrypted strings, and layered anti-debugging mechanisms to resist analysis.
- It harvests extensive data from browsers, cryptocurrency wallets, password managers, and the keychain, encrypting the loot with AES-GCM before exfiltration.
Why It Matters
This incident highlights a significant shift in macOS malware tactics, where threat actors are investing in legitimate-looking distribution methods like notarized binaries to evade standard endpoint protections. For security practitioners, it underscores the critical need to look beyond signature-based detection and implement behavioral monitoring and strict application control policies, as even notarized apps can be malicious.
Technical Details
- Native Implementation: Unlike many commodity stealers, CrashStealer is written in native C++, allowing for deeper integration with macOS APIs and better performance.
- Notarized Dropper Chain: The initial vector is a disk image named "Werkbit.app" signed with a valid developer ID and notarized by Apple. This allows it to pass Gatekeeper without user intervention.
- Payload Delivery: Upon execution, the dropper fetches a shell script from a GitHub repository, which then downloads the actual malware payload ("CrashReporter.dmg") to the /tmp directory.
- Data Exfiltration: The malware validates the user's login password locally to unlock the keychain, collects credentials from ~80 crypto wallets, 14 password managers, and major browsers, then packages them into a ZIP archive encrypted with AES-GCM for transfer to a remote server.
- Anti-Analysis: The codebase includes obfuscation techniques such as control-flow flattening and encrypted strings to hinder reverse engineering efforts.
Industry Insight
- Trust in Notarization is Eroding: Security teams must recognize that Apple Notarization ensures binary integrity but does not guarantee benign behavior. Detection strategies should focus on runtime behavior rather than just static signatures or notarization status.
- Crypto Wallet Targeting: The specific focus on nearly 80 cryptocurrency wallet extensions indicates a high-value target strategy. Organizations and individuals using these wallets should assume compromise is possible and consider hardware wallet isolation or multi-factor authentication enhancements.
- Supply Chain Risks in Distribution: The use of a PIN-gated download from a seemingly legitimate domain suggests targeted social engineering. Awareness campaigns should emphasize verifying the source of software installations, especially when prompted by unusual access codes or links.
Disclaimer: The above content is generated by AI and is for reference only.