Intelligence
highMalwareEmerging

CrashStealer bypasses macOS Gatekeeper with notarised C++ dropper, signalling supply-chain trust abuse

A new macOS information stealer called CrashStealer uses Apple-notarised droppers to evade Gatekeeper protections. Written in native C++ rather than scripting languages, it validates victim credentials locally before exfiltration.

S
Sebastion

Affected

macOS

CrashStealer represents a strategic shift in macOS malware distribution. Rather than relying on AppleScript or Objective-C wrappers that trigger user warnings, this family uses properly notarised droppers that pass Gatekeeper validation. Notarisation, Apple's code-signing and malware-scanning process, was intended as a trust signal. The malware's ability to obtain notarisation suggests either attack infrastructure sophisticated enough to evade Apple's scanning or potential gaps in detection tuning for native C++ payloads.

The C++ implementation is technically significant. It indicates maturation beyond script-based attacks and suggests either ported code from other platforms or purpose-built development. The local password validation before exfiltration is a defensive measure: it reduces noise from honeypots and systems without useful credentials, improving operational security for the attacker and making detection harder for defenders who might rely on anomalous credential access patterns.

Defenders face a compounding problem. Notarisation was meant to raise the bar for malware distribution, but CrashStealer demonstrates that the barrier has shifted rather than disappeared. Organisations cannot treat notarised software as trustworthy; the signed status only confirms Apple scanned it at submission time. macOS users and administrators should treat any unfamiliar software with suspicion regardless of notarisation status, implement application allowlisting where feasible, and monitor for local credential validation attempts that might indicate information-stealer behaviour.

The broader implication is that supply-chain trust mechanisms, when implemented as binary gates (signed or unsigned), can become liabilities if attainable by sophisticated attackers. Apple will likely respond with enhanced notarisation scanning or runtime telemetry, but the cat-and-mouse dynamic has shifted to native code. Organisations should assume that macOS, long perceived as inherently more secure, now requires equivalent endpoint detection and response investment as Windows.