New malware continues to be discovered for the Mac, with at least six examples being discovered in the the last month. The latest malware – dubbed as OSX/CrescentCore – does its best to hide from security researchers.
Security firm Intego says it has discovered the new malware on various websites, posing as a Flash Player update. (Shocking, I know.)
The team at Intego has observed OSX/CrescentCore in the wild being distributed via numerous sites. Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.
The new malware was first observed linked from a site purporting to share digital copies of new comic books for free—one of many shady sites that flagrantly violates U.S. copyright laws […]
A high-ranking Google search result was also observed redirecting through multiple sites, eventually leading to a page (hosted at any of a large number of domains) with flashy warnings about Adobe Flash Player supposedly needing to be updated—which in reality is a malware distribution site.
Crescent Core looks to hide itself from security researchers in two ways.
If the user opens the .dmg disk image and opens the Player app, the Trojan will first check to see if it is being run inside of a virtual machine. (Malware researchers often examine suspected malware inside of a virtual machine to avoid infecting their own computers. Malware authors have struck back by adding VPN detection to their payloads to make it more difficult to analyze malware’s behavior.)
The OSX/CrescentCore Trojan app also checks if any popular Mac antivirus programs are installed.
If the malware determines that it’s running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.
It’s 2019, and as mentioned by Intego, what the heck are you doing still using Flash Player? Adobe is discontinuing it, and will no longer release security updates for Flash after 2020. Admittedly, many casual users aren’t aware of the dangers of Flash Player, which makes them an attractive target for malware makers.
Sadly, the malware is signed by Apple, using hacked developer IDs, which have now been reported to the company.