HeadlinesBriefing favicon HeadlinesBriefing.com

Fake Mac Crash Reports Steal Passwords Crypto

9to5Mac •
×

While macOS is generally very stable, a new form of Mac malware called Crash Stealer creates fake crash report forms requesting your Mac password. Jamf Threat Labs began tracking the malware in May after a suspicious macOS sample surfaced on VirusTotal. By early July, in-the-wild detections confirmed the infostealer had matured into active use, targeting password managers and cryptocurrency wallets.

The malware spreads via a disk image named "Werkbit Setup" containing Werkbit.app. Its executable veltod carries bundle identifier dev.golove.velto. Unusually, the dropper is properly code signed and notarized with a valid Apple Developer ID belonging to Emil Grigorov (WWB7JA7AQV), including a stapled notarization ticket and signed disk image container. This allowed it to pass Gatekeeper checks initially.

Apple has since revoked the developer credentials, so Gatekeeper should now detect it. However, caution remains advised. Users should scrutinize crash reports and password prompts claiming System Preferences wants to make changes. Best protection: only download apps from the Mac App Store and trusted developer websites.