Full Report
Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that's capable of harvesting sensitive data from compromised systems. Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs. "It validates the victim's login password locally before
Analysis Summary
# Tool/Technique: CrashStealer
## Overview
CrashStealer is a sophisticated macOS information stealer implemented in native C++. It is designed to harvest sensitive data including browser credentials, cryptocurrency wallets, and keychain material. It distinguishes itself through its use of Apple-notarized droppers to bypass Gatekeeper security checks and its heavy use of evasion and encryption techniques to hinder analysis.
## Technical Details
- **Type:** Malware Family (Information Stealer)
- **Platform:** macOS
- **Capabilities:** Credential harvesting, cryptocurrency theft, local password validation, persistence, and anti-analysis.
- **First Seen:** July 2026 (Reported)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (via gated downloads/fake software)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- **TA0003 - Persistence**
- T1547.011 - Boot or Logon Autostart Execution: Plist Files / Launch Agents
- **TA0005 - Defense Evasion**
- T1553.001 - Subvert Trust Controls: Gatekeeper Bypass (via Notarization)
- T1406 - Obfuscated Files or Information (Control-flow flattening, encrypted strings)
- T1497 - Virtualization/Sandbox Evasion (Anti-debugging)
- **TA0006 - Credential Access**
- T1555.003 - Credentials from Web Browsers
- T1555.001 - Keychain
- **TA0010 - Exfiltration**
- T1048 - Exfiltration Over Alternative Protocol (via libcurl)
## Functionality
### Core Capabilities
- **Local Password Validation:** Prompts the user for their login password and validates it locally to ensure it can unlock the login keychain.
- **Broad Data Harvesting:** Targets Chromium-based browsers, approx. 80 cryptocurrency wallet extensions, and 14 major password managers.
- **Keychain Access:** Unlocks and extracts material from the macOS login keychain using the validated user password.
- **Persistence:** Establishes itself as a `LaunchAgent` and has the capability to re-sign itself to maintain validity.
### Advanced Features
- **Notarized Delivery:** Initially distributed via `Werkbit.app`, which carries a valid Developer ID and Apple notarization to bypass Gatekeeper.
- **Analysis Resistance:** Employs control-flow flattening, encrypted strings, and layered anti-debugging techniques to frustrate security researchers.
- **Encrypted Exfiltration:** Uses client-side AES-GCM encryption for harvested files before transmission.
- **Gated Distribution:** Uses a meeting PIN requirement on the distribution site (`werkbit[.]io`) to limit the payload's exposure.
## Indicators of Compromise
- **File Names:**
- `Werkbit.app` (Initial DMG)
- `veltod` (Initial executable)
- `sys.cache` (Retrieved configuration)
- `CrashReporter.dmg` (Final payload)
- **Network Indicators:**
- `werkbit[.]io` (Distribution)
- `github[.]com/mgothiclove` (Resource hosting)
- `179.43.166[.]242` (C2/Exfiltration - defanged)
- **Behavioral Indicators:**
- Creation of a new `LaunchAgent` for persistence.
- Unexpected password prompts requesting system credentials.
- Native C++ process making outbound connections via `libcurl`.
## Associated Threat Actors
- Unknown (The campaign is currently attributed to developers using the ID "Emil Grigorov (WWB7JA7AQV)").
## Detection Methods
- **Signature-based:** Monitoring for hashes associated with the `veltod` and `CrashReporter` binaries.
- **Behavioral:** Watching for unauthorized access to keychain files or native processes attempting to validate login passwords locally.
- **YARA rules:** Rules targeting the unique control-flow flattening patterns and AES-GCM implementation in the C++ binary.
## Mitigation Strategies
- **Gatekeeper Hardening:** While notarization was used, users should be wary of apps requiring "Right-Click > Open" to bypass manual security prompts from unknown sources.
- **Credential Hygiene:** Use hardware security keys where possible, as software-based wallets and browser-saved passwords are primary targets.
- **Endpoint Monitoring:** Deploy EDR solutions capable of detecting LaunchAgent persistence and unusual keychain access patterns.
## Related Tools/Techniques
- **Atomic Stealer (AMOS):** Another prominent macOS stealer, though CrashStealer is more technically complex due to its native C++ implementation and anti-analysis features.
- **Cuckoo Stealer:** Shares similar goals in targeting macOS users for cryptocurrency and browser data.