CrashStealer, a newly identified macOS information stealer, leverages Apple's own notarization system to bypass Gatekeeper security checks and establish persistence on victim machines.
Jamf Threat Labs uncovered the malware, which differs from typical macOS threats by using a native C++ implementation rather than AppleScript or Objective-C wrappers. The malware uses a notarized dropper, a technique that exploits Apple's code-signing verification process to appear legitimate to the operating system.
The threat validates victim login credentials locally before exfiltrating data, reducing detection risk during credential theft. CrashStealer targets sensitive information including passwords, browser data, and system credentials. Once installed, the malware establishes persistence mechanisms that survive system reboots.
The use of notarization represents an escalation in macOS malware sophistication. Apple's notarization service, designed to detect malicious code before execution, becomes a trojan horse when attackers obtain valid developer certificates or compromise legitimate developer accounts. Gatekeeper, macOS's primary execution control, trusts notarized code by default, allowing CrashStealer to run without user warnings.
Organizations running macOS environments face increased exposure to credential theft and data exfiltration. Attackers can harvest plaintext passwords stored in browsers, SSH keys, API credentials, and authentication tokens. The locally-validated password check suggests targeting of high-value accounts with administrative privileges.
Defense requires multi-layered controls beyond system-level security. Organizations should enforce password managers to limit stored credentials, implement endpoint detection and response solutions tuned for macOS threats, and restrict developer certificate distribution. Users benefit from disabling automatic credential saving in browsers and applying filesystem encryption.
The discovery demonstrates how Apple's own security mechanisms become liabilities when weaponized. Notarization provides defensive value only when
