← Back to blog

CrashStealer macOS Malware Bypasses Gatekeeper via Notarized Dropper

A new macOS malware named CrashStealer uses a notarized dropper to bypass Apple's Gatekeeper security. It steals sensitive data after validating the user's login password.

TL;DR

  • New macOS malware CrashStealer harvests sensitive user data.
  • It uses a notarized C++ dropper to bypass Gatekeeper protections.
  • The malware validates login passwords locally before exfiltrating data.
  • Security teams should monitor for unusual notarized app behaviors.
  • Jamf Threat Labs identified and reported the threat.

Cybersecurity researchers have uncovered a new macOS threat called CrashStealer, an information-stealing malware that cleverly evades Apple’s built-in security mechanisms. Unlike many of its predecessors, CrashStealer is built using native C++ and packaged within a notarized dropper, allowing it to slip past Gatekeeper protections.

Once executed, the malware prompts victims to enter their login credentials, which it then validates locally. If successful, CrashStealer proceeds to harvest sensitive data from the infected system. This technique highlights an increasing trend where attackers abuse legitimate Apple processes to gain unauthorized access.

Technical Overview

  • CrashStealer is written in native C++, distinguishing it from typical AppleScript or Objective-C based macOS malware.
  • It uses a notarized dropper to appear legitimate and bypass Apple’s Gatekeeper checks.
  • The malware locally verifies the entered password before proceeding with data theft.
  • It targets sensitive user data including keychain items, browser credentials, and system information.

Implications for Security Teams

  • Organizations should audit notarized applications for suspicious behavior or unexpected network activity.
  • Endpoint detection and response tools should flag local password validation attempts by unsigned or unusual binaries.
  • User training should emphasize caution when entering credentials into unexpected prompts, even from seemingly trusted apps.
  • Monitoring Gatekeeper bypass events and unusual process execution chains can help detect similar threats early.

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

CrashStealer macOS Malware Bypasses Gatekeeper via Notarized Dropper — Agent Breach Blog | Agent Breach