CrashStealer macOS Malware: New Threat Targets Apple Devices

CrashStealer macOS malware is the newest cyber threat targeting Apple devices, raising concerns for businesses and individuals reliant on macOS platforms. This event has come to light amid a surge in sophisticated attacks against critical sectors, including recent incidents affecting major European defence and retail organisations.

CrashStealer Malware: What Happened?

CrashStealer is a newly identified piece of malware specifically designed to target macOS systems. Discovered in early June 2024, it represents a growing trend of attackers developing malicious software for Apple’s operating systems, traditionally considered less susceptible than Windows. The malware was detected following reports of unusual system crashes and data theft on compromised Apple devices.

According to initial research, CrashStealer is delivered primarily through phishing campaigns. Victims receive seemingly legitimate emails or messages, often imitating trusted contacts or brands, with malicious attachments or links. Once the payload is triggered, the malware installs itself and begins harvesting sensitive data from the device.

  • Date of Discovery: Early June 2024
  • Systems Affected: macOS devices (versions Monterey, Ventura, and Sonoma)
  • Method of Delivery: Phishing emails, malicious attachments, and websites
  • Type of Data Targeted: Credentials, system files, browser data

Technical Details and Attack Mechanism

CrashStealer operates by exploiting vulnerabilities in macOS’s file permission system. After initial infection, the malware escalates its privileges by leveraging known but unpatched flaws, granting it broad access to user files and system processes. It then silently exfiltrates data to an external server controlled by the attacker.

Notable technical features of CrashStealer include:

  • Persistence: The malware modifies system startup scripts to ensure it runs every time the device is rebooted.
  • Data Exfiltration: It targets browser databases and keychain files, seeking login credentials and financial information.
  • Stealth: CrashStealer uses encrypted communication channels to avoid detection by traditional security tools.

Researchers have traced the malware’s command and control (C2) infrastructure to servers based outside Europe, complicating efforts to disrupt its operations. The initial infection vector is most effective against users with outdated macOS versions or those who have not applied recent security updates.

Timeline of the CrashStealer Malware Campaign

  • Early June 2024: First reports of system instability and unauthorised data access on macOS devices.
  • Mid-June 2024: Security researchers isolate and identify the unique characteristics of CrashStealer.
  • Late June 2024: Public advisories issued by cybersecurity vendors, recommending immediate updates and increased monitoring for suspicious activity.

As of the latest reports, the malware campaign is ongoing, with active exploitation attempts detected in Europe and North America. No official patch has been released specifically for CrashStealer, but applying the latest macOS security updates may mitigate some risks.

Who Is at Risk from CrashStealer?

The primary targets for CrashStealer appear to be professionals and organisations using macOS for sensitive operations, particularly in sectors that handle financial data, intellectual property, or confidential communications. While there is no indication that the malware is widespread among UK small and medium-sized businesses (SMBs), the attack method is generic enough that any macOS user could be affected if they interact with a malicious email or website.

Attackers are exploiting trust in Apple devices to bypass lower vigilance, especially in environments where macOS is assumed to be more secure by default. The phishing campaigns associated with CrashStealer have shown signs of sophistication, including well-crafted messages and spoofed sender addresses.

CrashStealer’s Wider Context: Recent Related Cyber Events

CrashStealer’s emergence coincides with a wave of high-profile cyber incidents. In the same reporting period, a ransomware attack hit German naval defence firm ThyssenKrupp Marine Systems, and supermarket chain Lidl confirmed a data breach. These events highlight the expanding attack surface facing European organisations in 2024.

  • ThyssenKrupp Marine Systems: Disrupted by ransomware, with potential implications for naval defence supply chains.
  • Lidl: Data breach with customer information at risk, underlining the importance of proactive breach notification monitoring.

While these incidents involve different sectors and attack types, they reflect the broader trend of increasingly frequent and sophisticated cyber threats targeting both traditional and newer technology platforms.

Why CrashStealer Matters

The CrashStealer macOS malware demonstrates that Apple platforms are no longer immune to targeted cyber attacks. As threat actors diversify their toolkits, organisations relying on macOS must adapt their security strategies accordingly. The malware’s use of phishing and privilege escalation underlines the importance of timely software updates and user awareness.

What Organisations Should Do Next

  • Apply the latest macOS security updates across all devices.
  • Increase user awareness of phishing techniques, especially those targeting macOS users.
  • Monitor for unusual system crashes or unexpected data access activity.
  • Review endpoint protection solutions for compatibility with macOS.

Early detection and response are essential for limiting the impact of CrashStealer and similar threats. Organisations should stay alert for further advisories as the situation develops.

Originally reported by securityweek.com.

Share this bulletin

About the Author

Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

Jonny Pelter

Partner

  • CIPM
  • CIPP/E
  • CISSP
  • CISM
  • CRISC
  • ISO27001
  • Prince2
  • MSc
  • BSc

Jonny Pelter

Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

An ex-professional rugby player and originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

View Profile
Back to Bulletins

Related CyPro Services

  • Managed Detection and Response (MDR)

    Managed Detection and Response (MDR) is an end-to-end managed service designed to help organisations detect, analyse and respond to cyber threats quickly and effectively. It...
    View Service
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call