

As the Mac platform becomes more popular, it also becomes more interesting as a target for data thieves: the more users, the greater the number of potential victims, which in turn justifies greater programming effort. The security experts at the Jamf Threat Lab are drawing attention to a case that cleverly bypasses security barriers in several places – and had a valid notarization by Apple’s developer program until it was discovered. The discoverers named the observed program CrashStealer. It got onto the Mac by users downloading and launching a seemingly legitimate installer. In the case observed, it was an app called “Werkbit” – which is also the name of a development studio from the Erzgebirge. However, this is innocent – it offers tailor-made programming at werkbit.de. Google currently shows the URL werkbit.io as the second hit. It promises AI-supported conference software. Although the website itself is now offline, the Jamf researchers report that the danger has by no means been averted. The attackers use additional names and URLs for distribution.

CrashStealer uses names that seem unremarkable at first glance.
Installing “CrashReporter”
When the security researchers started the installer in a test environment, they were able to understand its procedure: The malware is loaded from a command and control server and installed on the Mac under the name “CrashReporter”. Unlike ordinary Trojans, CrashStealer relies on native code programmed in C++ instead of putting up a thin AppleScript facade. The dialog that the active malware then calls up is therefore more difficult to recognize as a fake.
Password is checked and used
Whether the password entered is legitimate is checked in the background using a command line command. The program then unlocks the login keychain and extracts passwords, browser data, crypto wallet information, and more to secure them as encrypted archives. The program then copies itself and permanently embeds itself into the system using a LaunchAgent.
Validated by Apple’s notarization
What particularly surprised the discoverers was that the malware had a valid signature from Apple, even though the app’s unfair intentions were quite obvious in the program components. Only after Jamf confronted Apple with its own observations did the company withdraw the notarization – at least under this one signature, the program is no longer easy to distribute. In the past, Apple was repeatedly accused of merely performing “security theater” in the notarization process – the impression became solidified that Apple was not carrying out any serious code analysis. On the other hand, there have been signs since April that Apple is now at least carrying out automated scans of submitted programs.
















