CrashStealer: macOS Infostealer Masquerading as a Crash Reporter
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
CrashStealer is a native C++ infostealer for macOS that masquerades as Apple’s crash-reporting framework to collect sensitive user data. It targets browser credentials, cryptocurrency wallets, and keychain information, while using AES-GCM encryption to stage stolen data locally. The malware is delivered through a signed and notarized dropper disguised as a legitimate software installer.
Investigation
Jamf Threat Labs discovered the threat after a suspicious macOS sample appeared on VirusTotal in May 2026. Their investigation uncovered a sophisticated multi-stage infection chain involving a notarized dropper called Werkbit Setup and a payload that uses ad-hoc signing to avoid detection. Analysts also observed the malware profiling security tools and harvesting a broad range of user data from the infected host.
Mitigation
Organizations should monitor for suspicious application launches from hidden paths such as /private/tmp/. Detection rules should be created for execution of commands like dscl -authonly and xattr -cr when they appear in abnormal contexts. Blocking known malicious domains and watching for large encrypted ZIP archives with distinctive naming patterns in ~/.cache/ can also help disrupt exfiltration.
Response
If CrashStealer is detected, isolate the affected macOS endpoint immediately to stop additional data theft. Conduct forensic analysis of the ~/.cache/com.apple.crashreporter/ directory to assess the scope of the stolen information. Investigators should also treat the user’s credentials, especially keychain contents and browser-stored passwords, as fully compromised.
Attack Flow
Detections
Possible Base64 Encoded Strings Manipulation [MacOS] (via cmdline)
View
Forced Code Signing of Modified Application Bundle (via cmdline)
View
Possible Manual Keychain Unlocking Attempt (via cmdline)
View
MacOS Credential Validation via Dscl Authonly (via cmdline)
View
CrashStealer Exfiltration via Known C2 and GitHub Repository [Windows Network Connection]
View
Detection of CrashStealer Activity on macOS [Linux Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary seeks to deploy a macOS-based infostealer (CrashStealer). To evade initial detection and prepare the environment, the attacker first strips extended attributes from their malware to avoid quarantine (
xattr -cr). They then attempt to validate local user credentials usingdsclto ensure they have sufficient privileges (dscl -authonly). To ensure persistence and system integration, they register the malicious service with Launch Services (lsregister -f). Finally, they execute the payload in the background to remain hidden from the user interface (open -g -n). This sequence is designed to mimic legitimate system management while performing malicious tasks. -
Regression Test Script:
#!/bin/bash # CrashStealer Simulation Script # This script executes the specific command patterns defined in the detection rule. echo "[+] Starting CrashStealer Simulation..." # 1. Clear extended attributes (T1027.005) echo "[+] Step 1: Clearing extended attributes..." xattr -cr /tmp/dummy_malware_file 2>/dev/null || echo "[!] xattr failed (Expected if file doesn't exist)" # 2. Validate credentials (T1556.002) echo "[+] Step 2: Validating credentials via dscl..." dscl -authonly /Users/$(whoami) || echo "[!] dscl failed (Requires valid context)" # 3. Register with Launch Services (T1546.015) echo "[+] Step 3: Registering service..." lsregister -f /tmp/dummy_app.app 2>/dev/null || echo "[!] lsregister failed" # 4. Launch process in background (T1056) echo "[+] Step 4: Launching background process..." open -g -n /Applications/Calculator.app 2>/dev/null || echo "[!] open failed" echo "[+] Simulation Complete." -
Cleanup Commands:
# Remove any dummy files created during simulation rm -f /tmp/dummy_malware_file rm -f /tmp/dummy_app.app echo "[+] Cleanup complete."