HeadlinesBriefing favicon HeadlinesBriefing.com

CrashStealer Mac Infostealer Uses Apple‑Notarized Werkbit

AppleInsider •
×

CrashStealer, a newly documented Mac infostealer, was first spotted by Jamf Threat Labs on VirusTotal in early May and began generating detections on customer Macs in early July. The malware reaches victims through a signed and Apple-notarized first‑stage application called Werkbit, which carries a valid Developer ID associated with Emil Grigorov and passes Gatekeeper without an unidentified‑developer warning. After Jamf shared its findings, Apple revoked the signing credentials tied to the malicious app.

Infection requires user interaction: a victim must download and launch Werkbit, allow the delivery chain to run, and enter a valid Mac password. Once the password is confirmed, CrashStealer unlocks the login keychain, harvests credentials from browsers (Chrome, Edge, Firefox, etc.), and targets roughly 80 cryptocurrency wallet extensions and 14 password managers. It encrypts stolen data with AES‑256‑GCM, hides it in temporary folders, and establishes persistence via a Launch Agent that runs at every login.

Beyond the Mac version, researchers uncovered a Windows installer and a network of lookalike meeting‑app domains (Cohezo, Cordinex, Synerix, Collabox, Werknova) linked to a shared backend, indicating a broader cross‑platform operation rather than an isolated macOS stealer.