Crashstealer
ID: 3a55ee98-61bf-4621-97bb-2fbf1aaaecbd
STIX ID: report--3a55ee98-61bf-4621-97bb-2fbf1aaaecbd
Threat Score
75/100
CrashStealer is a native C++ macOS infostealer delivered via a signed, notarized disk-image dropper that impersonates Apple crash-reporting components; it captures login credentials (validated locally), unlocks and copies the login keychain, harvests browser profiles, ~80 wallet extensions and multiple password managers, encrypts collected data with AES-256-GCM using PBKDF2-derived keys, packages results into hidden ZIPs under ~/.cache/com.apple.crashreporter/, and exfiltrates them to a hardcoded C2 (179.43.166.242). The family employs control-flow flattening, encrypted strings, layered anti-debugging, and persists by re-signing a copy and loading a LaunchAgent; defenders can hunt for signed dropper artifacts, staging under /private/tmp/.CrashReporter and hidden .zx_*.zip archives in the cache directory as high-value indicators.
