ctipilot.ch
← Back to the live brief
NOTABLENATOB2threat

CrashStealer — a native-C++ macOS infostealer using a notarized dropper and local dscl password validation to raid keychain, browsers and wallets

discovered 2026-07-14 04:35 UTCrun 2026-07-14T0409Z-intel2 sourcesmulti-source

Jamf Threat Labs documents CrashStealer, a macOS infostealer written in native C++ (around an internal MacOSData class) rather than the AppleScript droppers or thin Objective-C wrappers typical of commodity macOS stealers; Jamf first saw a sample on VirusTotal in early May 2026 and observed in-the-wild payload detections by early July, and tracks it as a distinct family rather than a variant of Atomic (AMOS), MacSync or Phexia (Jamf Threat Labs, 2026-07-13; BleepingComputer, 2026-07-13). Initial access is a signed and Apple-notarized dropper distributed as a "Werkbit Setup" disk image (both the image and the inner app are signed under a valid Developer ID — which Jamf reported to Apple after confirming it was used to distribute malicious payloads — with hardened runtime enabled) — because it carries a valid notarization ticket it clears Gatekeeper on first launch, so the "right-click → Open" instruction the installer shows is pure social engineering rather than a technical bypass (Jamf Threat Labs, 2026-07-13). The dropper fetches a first-stage file from a GitHub repository (keeping the opening network hop on a trusted developer domain), decodes a curl command, and pulls a shell script delivered as successive Base64 blobs decoded at runtime and piped to bash; that script downloads the payload disk image, copies the app into a hidden /private/tmp/.CrashReporter directory, strips and re-signs it ad-hoc (codesign --remove-signature then codesign -s - --force --deep), registers it with Launch Services and launches it (Jamf Threat Labs, 2026-07-13).

The payload impersonates Apple's crash reporter (bundle identifier com.apple.crashreporter, executing from the hidden staging path), clears its own quarantine and last-used-date extended attributes with xattr -cr, then presents a native-styled password prompt and validates the entered credential locally with dscl . -authonly, looping until a valid password is supplied — so the operator only ever collects credentials that actually authenticate (Jamf Threat Labs, 2026-07-13). With the validated password it unlocks the login keychain, copies login.keychain-db into a hidden ~/.cache staging root, runs a reconnaissance sweep (defaults read for version paired with du -sh for on-disk size) against an embedded list skewed toward malware-analysis and EDR tooling to profile the defensive environment, and collects browser data, Chromium/Firefox extensions (including cryptocurrency-wallet extensions) and password-manager material — AES-GCM-encrypting each item into hidden staging files as it is collected (so the loot is never written to disk in the clear), then packaging each staging directory into its own zip archive before exfiltrating over libcurl. Persistence is a LaunchAgent registered under an Apple-impersonating label with a second re-signed copy of the binary. Anti-analysis is layered throughout: the binary checks for an attached debugger via sysctl process-flag (P_TRACED) inspection at two separate points in initialization — so patching out the first check alone does not defeat it — and its C2 address and collection-target list are held as encrypted, runtime-decoded strings behind control-flow-flattening obfuscation rather than in cleartext (Jamf Threat Labs, 2026-07-13).

Validating the password with dscl -authonly before harvesting lets the operator keep only credentials that actually work

Patching out that first check is not enough on its own: a second check later in application initialization exits the same way

Jamf Threat Labs 2026-07-13

Defender actions

  • Sweep the macOS fleet for a bundle identifier com.apple.crashreporter executing from a hidden path (/private/tmp/.CrashReporter or ~/Library/Caches) with an ad-hoc (rather than Apple) signature, and for a LaunchAgent whose label impersonates an Apple service — Apple's genuine CrashReporter never runs from those paths.

ATT&CK mapping

14 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Execution TA0002
T1204.002User Execution: Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1543.001Create or Modify System Process: Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1543.001Create or Modify System Process: Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1027Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

overlap matrix · ATT&CK page ↗

T1070.006Indicator Removal: Timestomp

Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.

overlap matrix · ATT&CK page ↗

T1140Deobfuscate/Decode Files or Information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

overlap matrix · ATT&CK page ↗

T1564.001Hide Artifacts: Hidden Files and Directories

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).

overlap matrix · ATT&CK page ↗

T1622Debugger Evasion

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.

overlap matrix · ATT&CK page ↗

Defense Impairment TA0112
T1553.001Subvert Trust Controls: Gatekeeper Bypass

Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1555.001Credentials from Password Stores: Keychain

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

overlap matrix · ATT&CK page ↗

T1555.003Credentials from Password Stores: Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

overlap matrix · ATT&CK page ↗

Discovery TA0007
T1518.001Software Discovery: Security Software Discovery

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

overlap matrix · ATT&CK page ↗

T1622Debugger Evasion

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.

overlap matrix · ATT&CK page ↗

Collection TA0009
T1560.001Archive Collected Data: Archive via Utility

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1105Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

overlap matrix · ATT&CK page ↗

Exfiltration TA0010
T1041Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.