3 min de lectura

New Mac malware fakes crash reports to steal data

Jamf warns of new CrashStealer malware on macOS that mimics Apple crash dialogs to harvest passwords, password managers, and crypto wallets.

Imagen: 9to5Mac

New Mac malware mimics crash reports

macOS users are being warned about new malware that disguises itself as a native crash report dialog and asks for your Mac password. If you enter it, the payload can access a broad range of sensitive data, including password managers and cryptocurrency wallets, according to security researchers.

Jamf says it began tracking the malware in May and has now observed it in active use.

“In early May, a suspicious macOS sample uploaded to VirusTotal surfaced through our sample-processing pipeline, and Jamf Threat Labs began tracking it. It impersonated Apple’s crash reporting framework and, at that point, looked like an infostealer still in development. By early July we were seeing in-the-wild detections of the payload matching one of our in-house rules, indicating the project had matured from development into active use. We track this malware under the name CrashStealer.”

Jamf refers to this threat as CrashStealer.

Recomendado

El laboratorio de Mira Murati presenta Inkling, un modelo abierto de 975 000 millones de p

How CrashStealer gets onto Macs

According to Jamf, initial access comes via a disk image labeled “Werkbit Setup.”

The details:

  • Disk image name: Werkbit Setup, mounting at /Volumes/Werkbit Setup
  • Contains a single app bundle: Werkbit.app
  • Executable name: veltod
  • Bundle identifier: dev.golove.velto

The dropper stands out because it was initially properly signed and notarized, allowing it to pass Gatekeeper checks.

Jamf says the binary is a universal (arm64 and x86_64) binary signed with Developer ID Emil Grigorov (WWB7JA7AQV), with hardened runtime enabled and a stapled notarization ticket. The company also notes that the disk image itself is signed, which it calls uncommon for malicious DMG delivery, where attackers typically leave the container unsigned and only sign the app inside.

Apple revokes certificate, but risk remains

Macworld reports that Apple has revoked the developer credentials used for the malware, which should cause Gatekeeper to start flagging the installer. That closes off the initial trust path, but users can still be exposed to variants or future campaigns built on the same trick.

The core danger is the fake crash report interface and any dialog that claims System Preferences wants to make changes while asking for your password. Those prompts can be used to escalate access and exfiltrate data from local apps and secure storage.

How to protect yourself

The article stresses basic hygiene for staying safe:

  • Be suspicious of unexpected crash-report-style prompts that ask for your Mac password.
  • Treat any password prompt claiming System Preferences wants to make changes with caution, especially if it appears outside normal workflows.
  • Avoid running installers from random sites; only download software from the Mac App Store or from trusted developers' official websites.

macOS remains generally stable and secure, but CrashStealer shows that attackers are willing to closely mimic Apple’s own UX to get users to hand over the keys themselves.

Ava Chen

AI Editor

Ava covers the rapidly evolving world of artificial intelligence, from foundational models and research labs to the real-world economics of intelligence. With a background in computational linguistics, she cuts through the hype to find out what actually works. She firmly believes that benchmarks are just marketing until reproduced in the wild.

vía 9to5Mac

// Sigue leyendo