While macOS is generally very stable, there are times when an app will crash and your Mac will offer to send a diagnostic report to Apple.
A new form of Mac malware has been discovered, which creates fake versions of this form, requesting your Mac password as part of the data collection. If you comply, it will get access to a huge range of personal data, including your password managers and cryptocurrency wallets …
Jamf says it first began tracking the malware in May, and has now seen it in the wild.
In early May, a suspicious macOS sample uploaded to VirusTotal surfaced through our sample-processing pipeline, and Jamf Threat Labs began tracking it. It impersonated Apple’s crash reporting framework and, at that point, looked like an infostealer still in development. By early July we were seeing in-the-wild detections of the payload matching one of our in-house rules, indicating the project had matured from development into active use. We track this malware under the name CrashStealer.
The cybersecurity company says that the disk image used to distribute the malware initially had a valid Apple Developer ID and notarization that allowed it to pass Gatekeeper checks.
Initial access is through a disk image named “Werkbit Setup,” which mounts at /Volumes/Werkbit Setup and contains a single application bundle, Werkbit.app. Its executable is named veltod and carries the bundle identifier dev.golove.velto. Unlike the payload it eventually installs, the dropper is properly code signed and notarized: it is a universal (arm64 and x86_64) binary signed with the Developer ID Emil Grigorov (WWB7JA7AQV), has hardened runtime enabled, and carries a stapled notarization ticket. Notably, the disk image itself is signed as well, not just the application inside it, which is uncommon in malicious DMG delivery where the container is typically left unsigned.
Macworld says that Apple has revoked the credentials, so it should now be detected by Gatekeeper. However, caution is still advised. In addition to looking out for that disk image, you should also closely examine app crash reports and any password prompt saying that System Preferences wants to make changes.
As always, your best protection is to ensure that you only ever download apps from the Mac App Store and the websites of developers you trust.
Photo by Philipp Katzenberger on Unsplash
FTC: We use income earning auto affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news:
Apple’s Mac lineup consists of MacBook, MacBoo…
Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!



