New Mac malware masquerades as Apple's crash reporter: 3 ways to dodge the threat
Follow ZDNET: Add us as a preferred source on Google.

Follow ZDNET: Add us as a preferred source on Google.
A new form of malware is masquerading as Apple's crash reporting tool to target MacOS users and harvest their data, account credentials, keychain entries, and cryptocurrency wallets.
Also: Why this fully agentic ransomware attack is giving researchers nightmares
In a July 13 research advisory , Jamf cybersecurity researchers said the malware, dubbed "CrashStealer," is a C++ infostealer that first appeared on their radar following a suspicious upload to VirusTotal. It appears that the malware was in development around May but has now been released into the wild.
You've probably encountered Apple's legitimate crash reporting tool, which appears when software crashes or quits unexpectedly -- a pop-up window asks whether you want to report the error.
When the malware lands on a MacOS machine, it impersonates Apple's crash reporter by using the aliases CrashReporter.dmg (for installation), CrashReporter.app (for the application bundle), and a legitimate-looking icon.
Also: These two critical Mac security features are off by default - how to turn them on and why you should
While this malware contains many of the basic info-stealing capabilities you would expect, it also has an interesting prompt. CrashReporter tries to unlock the keychain by displaying a fake password prompt that mimics a genuine MacOS authorization request.
The malware then validates these stolen credentials locally before targeting installed password managers, browsers, and cryptocurrency wallets. Passwords are then whisked off in an encrypted package to an attacker-controlled server.
Some infostealers, such as CrashStealer, arrive on your Mac as disk images. Disk images, which end in .dmg, are the standard way to install software on a Mac -- you click them, drag them to the Applications folder, and begin the installation process.
What makes this case interesting is that CrashStealer's main .dmg file, distributed as "Werkbit Setup" -- which packages up CrashReporter.dmg -- is a signed and Apple-notarized dropper disguised as a disk image.
"Because the dropper carries a valid Developer ID and a stapled notarization ticket, it clears Gatekeeper on first launch, in contrast to the ad-hoc-signed payload it installs," the researchers note.
Also: 6 MacOS settings I immediately change on every new Mac - and why
In other words, the .dmg file appears to be a legitimate, trustworthy utility, and there are no immediate red flags.
Source: ZDNet