Security experts have confirmed that a new infostealer has been used in attacks against macOS systems. This dangerous malware unlocked the Apple keychain, giving a threat actor access to the victim’s encrypted password vault. While this sounds bad enough, it actually gets worse. Beyond Keychain- stored secrets such as credentials for websites, Wi-Fi networks and encrypted disk images, CrashStealer, as the threat has been labeled, also targeted Chrome and Firefox browser cookies and passwords, a total of 14 password managers, 80 cryptocurrency wallets, as well as files located in the Documents and Downloads folders.

“CrashStealer’s delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload,” security researcher Thijs Xhaflaire warned. Apple has since taken action to prevent further infections following the Jamf Threat Labs report.

The CrashStealer Threat And Apple’s Response

“CrashStealer shouldn't be treated as just another Mac malware story ,” Piyush Sharma, CEO of SecOps platform Tuskira, warned; “By impersonating a trusted Apple crash-reporting flow, the malware is designed to get users to hand over the credentials, keychain data, and session material attackers need to move beyond the endpoint.”

While CrashStealer, as the Jamf Threat Labs report confirmed, required the victim to download a malicious Werkbit app installer, it included a legitimate developer ID that allowed the download to bypass Gatekeeper protections on initial launch. Apple has said that it has revoked the credentials that are associated with this application after being made aware of the threat by Jamf researchers.

That’s the good news. The bad news is what sets CrashStealer apart from most infostealer threats , and that, Xhaflaire said, “is less what it collects than how it is built.” By which the researcher is referring to the fact that it uses client-side AES-GCM encryption of the collected files and reveals a distinct emphasis on analysis resistance, encrypted strings and layered anti-debugging. That said, I’ve seen plenty of malware, including other macOS credential stealers , that employ careful tactics to avoid detection. It’s part and parcel of the cybercriminal strategy, after all.

Tuskira’s Piyush Sharma, meanwhile, told me that he thinks the real issue is that this is an identity and access problem, rather than a straightforward malware one. Especially when it comes to enterprise users. “You need to know which Macs are infected,” said, “but the question that should be asked is: “What identities, SaaS apps, cloud roles, code repositories, and production systems could those stolen credentials reach?” Which means that organizations need to test whether existing controls would detect or block the same path, and, Sharma concluded, “continuously validate which identities and systems are reachable if a credential is stolen again.”

To which I would add that consumers should also take away from this new report that just because you use macOS does not mean you are off the cybercriminals’ radar. While there are fewer active security threats facing users who have adopted an Apple ecosystem than a Windows-based one, that by no means implies that there are none. Front and center of these threats are infostealers, and for good reason: your passwords are the keys to your data kingdom . My advice remains the same: do not run scripts or installers from untrusted sites, check to ensure the URLs of sites you visit are the real deal rather than close copies and only use the Mac App Store rather than clicking through from social media or email.