Updated
Updated · MacRumors · Jul 15
Apple Revokes Werkbit Credentials After CrashStealer Targets 80 Crypto Wallets on Macs
Updated
Updated · MacRumors · Jul 15

Apple Revokes Werkbit Credentials After CrashStealer Targets 80 Crypto Wallets on Macs

3 articles · Updated · MacRumors · Jul 15

Summary

  • Apple revoked the Werkbit app's signing credentials after Jamf Threat Labs linked the fake Apple-notarized app to CrashStealer, disabling the specific delivery route it documented.
  • CrashStealer impersonates Apple's crash reporting tool, asks for full disk access and a native-looking password prompt, then uses the entered password to unlock the login keychain.
  • The malware steals browser data, keychain contents, files in Documents and Downloads, targets more than 80 cryptocurrency wallet extensions and 14 password managers, and exfiltrates the haul with AES-256-GCM encryption.
  • Jamf first spotted the malware in May and found it active in July; the original build was gated by a PIN, suggesting a targeted campaign rather than broad distribution.
  • The case shows notarization and Gatekeeper can be bypassed by well-concealed malware, and Jamf warned any downloaded app presenting CrashReporter or requesting a system password at launch is a red flag.

Insights

How did an Apple-approved app become a master key for stealing passwords and crypto wallets?
Your Mac says it crashed and needs your password. Is it a real error or a thief emptying your accounts?

CrashStealer Malware Exposes macOS Vulnerabilities: How a Notarized Installer Compromised Keychain, Passwords, and Crypto Wallets

Overview

CrashStealer is a new, advanced malware campaign targeting macOS users. It establishes itself as a LaunchAgent for persistence and uses clever techniques to avoid detection and analysis. After tricking users with a fake password prompt, it validates credentials locally and unlocks the login keychain, giving it access to sensitive data like browser information, cryptocurrency wallets, and password managers. The malware is distributed through a targeted, invitation-only campaign using a notarized installer called 'Werkbit Setup.' This sophisticated approach highlights the growing threat to macOS security and the need for users to stay vigilant.

...