All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
A team of cybersecurity experts at Jamf Threat Labs has discovered CrashStealer[1], a new C++ macOS infostealer designed to impersonate Apple's crash-reporting tool.
CrashStealer can first check whether the password you entered is correct, then use it to steal passwords stored in Keychain and your web browsers. The horror show continues, as it can not only bypass Gatekeeper — Apple's built-in anti-malware system for macOS — but is also extremely difficult to analyze and detect.
Here's how CrashStealer works, how it was identified, and the steps you can take to stay safe right now.
What makes CrashStealer so difficult to stop
How can you check if you're infected
What can you do to protect yourself
Bottom line
How CrashStealer infects your Mac and steals your data
Jamf started tracking CrashStealer in early May when it was still in the development phase. However, by early July, researchers observed in-the-wild detections of the malware, which is delivered through an AppleScript dropper.
According to Jamf, the attack starts with a disk image called Werkbit Setup, which contains an app called Werkbit.app, with the executable name Veltod.
What makes it particularly dangerous is that this dropper is legitimately signed and notarized by Apple, allowing it to bypass Gatekeeper.
- When launched, Veltod connects to GitHub to retrieve a file containing a curl command. This command then downloads a shell script from the attacker's server.
- The script then downloads a disk image called CrashReporter.dmg over plain HTTP, mounts it, and copies the app inside to a hidden folder.
- This payload app impersonates Apple's real Crash Reporter and uses the bundle ID com.apple.crashreporter, along with an identical name and icon, making it very difficult for analysts or victims to suspect anything.
- The payload then displays a fake macOS-style password prompt, asking the user to enter their macOS password. Because everything appears legitimate, the user is tricked into believing the system is requesting valid authentication.
- The malware then validates this password using the Directory Service command-line tool (dscl) — a legitimate built-in macOS utility. If the password is incorrect, CrashStealer asks the user to re-enter it, just like a legitimate macOS application would.
- Once the correct password is provided, CrashStealer stores it locally before using it to unlock the victim's Keychain, Apple's built-in password manager that stores encrypted passwords.
- The malware also copies and re-signs itself into ~/Library/Caches and installs a Launch Agent, which is again disguised as Apple Crash Reporter. Every time you power on your Mac, the infostealer launches automatically and runs quietly in the background.
In addition to Keychain, CrashStealer also targets browser credentials and cookies from Chrome, Edge, Firefox, and Brave, 80 cryptocurrency wallet extensions, including MetaMask, Phantom, and Coinbase, and 14 password managers, including LastPass (which was recently hacked again) and 1Password.
What makes CrashStealer so difficult to stop
CrashStealer employs various obfuscation techniques and anti-analysis barriers using three main methods:
- Control flow flattening: CrashStealer's execution runs through dispatch blocks using jump tables that branch on compile-time constants, making it much harder for security researchers to understand how it works.
- Encrypted strings: CrashStealer stores sensitive strings as encrypted blobs and decodes them at runtime using a byte-substitution routine. This makes much of the malware's code unreadable to security researchers until it’s actually running.
- Layered anti-debugging: CrashStealer checks for debuggers at least twice during execution and immediately terminates with exit code 45 if it detects any debugging activity. In other words, it shuts itself down whenever it detects that someone is trying to inspect or analyze it.
How can you check if you're infected
If you've recently downloaded an unfamiliar application from a suspicious source and have reason to believe your Mac may already have been compromised, here are a few checks you can run to look for signs of a CrashStealer infection.
- Open Finder and use the shortcut Cmd + Shift + G (Go to Folder), then type ~/.cache/com.apple.crashreporter/. This is where stolen data is staged and compressed before being sent to the attacker's server. If you find this folder, look for files beginning with .zx_ or ending in .zip.
- Next, check ~/Library/Caches/com.apple.crashreporter/. This is where the malware copies itself to survive a restart.
- Then open ~/Library/LaunchAgents/ and look for a file named com.apple.crashreporter.helper.plist. This Launch Agent automatically restarts CrashStealer every time you power on your Mac.
What can you do to protect yourself
If you find any of the above files or folders on your Mac, you've most likely become a victim of CrashStealer. In that case:
- Disconnect from the internet immediately to stop any further stolen data from being sent to the attacker's server.
- Consider performing a clean reinstallation of macOS using Apple's official recovery tools or with the help of a professional. That’s because you likely won't be able to remove the infection simply by deleting the files, as the malware re-signs and relaunches itself.
- Change your passwords from a different, unaffected device, such as your phone or another computer. This includes your Apple ID, email accounts, financial accounts, cryptocurrency wallets, and any password manager master passwords.
- Use an identity theft protection service to quickly alert you if your stolen credentials appear on the dark web or are being misused in scams, such as someone opening new lines of credit in your name.
If you find no traces of CrashStealer on your system, first of all, congratulations. But you should still adopt a few precautionary measures to avoid future infections.
- Download applications only from official vendors or the Mac App Store: Avoid suspicious links received in chats, emails, or online meeting invitations. CrashStealer’s case highlights that Apple's notarization of a macOS app only confirms the developer's identity; it doesn't guarantee the application is trustworthy or malware-free.
- Inspect password prompts: If you see an unexpected password prompt appear on your Mac, especially immediately after installing a new application, treat it as suspicious and cancel the request.
- Use antivirus software with behavioral detection: Because CrashStealer is legitimately signed by Apple, it can bypass traditional signature-based detection. Consider using third-party antivirus software or endpoint protection tools that monitor application behavior, such as Launch Agent creation or unusual outbound connections to suspicious IP addresses.
Bottom line
CrashStealer is a more dangerous malware than your typical macOS infostealer. Not only can it bypass Apple's built-in security protections, but it also hides in plain sight by impersonating Apple's crash-reporting tool and automatically relaunches every time your Mac starts, making it particularly difficult to detect and remove.
The only real way to protect yourself right now is by following good cybersecurity hygiene. This includes checking the file locations where CrashStealer may be hiding, downloading applications only from official sources, inspecting unexpected password prompts, and using third-party protection tools such as an antivirus program.