SOC Prime Bias: High

14 Jul 2026 15:21 UTC

CrashStealer: macOS Infostealer Masquerading as a Crash Reporter

Author Photo
SOC Prime Team linkedin icon Follow
CrashStealer: macOS Infostealer Masquerading as a Crash Reporter
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

CrashStealer is a native C++ infostealer for macOS that masquerades as Apple’s crash-reporting framework to collect sensitive user data. It targets browser credentials, cryptocurrency wallets, and keychain information, while using AES-GCM encryption to stage stolen data locally. The malware is delivered through a signed and notarized dropper disguised as a legitimate software installer.

Investigation

Jamf Threat Labs discovered the threat after a suspicious macOS sample appeared on VirusTotal in May 2026. Their investigation uncovered a sophisticated multi-stage infection chain involving a notarized dropper called Werkbit Setup and a payload that uses ad-hoc signing to avoid detection. Analysts also observed the malware profiling security tools and harvesting a broad range of user data from the infected host.

Mitigation

Organizations should monitor for suspicious application launches from hidden paths such as /private/tmp/. Detection rules should be created for execution of commands like dscl -authonly and xattr -cr when they appear in abnormal contexts. Blocking known malicious domains and watching for large encrypted ZIP archives with distinctive naming patterns in ~/.cache/ can also help disrupt exfiltration.

Response

If CrashStealer is detected, isolate the affected macOS endpoint immediately to stop additional data theft. Conduct forensic analysis of the ~/.cache/com.apple.crashreporter/ directory to assess the scope of the stolen information. Investigators should also treat the user’s credentials, especially keychain contents and browser-stored passwords, as fully compromised.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary seeks to deploy a macOS-based infostealer (CrashStealer). To evade initial detection and prepare the environment, the attacker first strips extended attributes from their malware to avoid quarantine (xattr -cr). They then attempt to validate local user credentials using dscl to ensure they have sufficient privileges (dscl -authonly). To ensure persistence and system integration, they register the malicious service with Launch Services (lsregister -f). Finally, they execute the payload in the background to remain hidden from the user interface (open -g -n). This sequence is designed to mimic legitimate system management while performing malicious tasks.

  • Regression Test Script:

    #!/bin/bash
    # CrashStealer Simulation Script
    # This script executes the specific command patterns defined in the detection rule.
    
    echo "[+] Starting CrashStealer Simulation..."
    
    # 1. Clear extended attributes (T1027.005)
    echo "[+] Step 1: Clearing extended attributes..."
    xattr -cr /tmp/dummy_malware_file 2>/dev/null || echo "[!] xattr failed (Expected if file doesn't exist)"
    
    # 2. Validate credentials (T1556.002)
    echo "[+] Step 2: Validating credentials via dscl..."
    dscl -authonly /Users/$(whoami) || echo "[!] dscl failed (Requires valid context)"
    
    # 3. Register with Launch Services (T1546.015)
    echo "[+] Step 3: Registering service..."
    lsregister -f /tmp/dummy_app.app 2>/dev/null || echo "[!] lsregister failed"
    
    # 4. Launch process in background (T1056)
    echo "[+] Step 4: Launching background process..."
    open -g -n /Applications/Calculator.app 2>/dev/null || echo "[!] open failed"
    
    echo "[+] Simulation Complete."
  • Cleanup Commands:

    # Remove any dummy files created during simulation
    rm -f /tmp/dummy_malware_file
    rm -f /tmp/dummy_app.app
    echo "[+] Cleanup complete."