Threat Management, Malware, Security Strategy, Plan, Budget

Mac OSX/CrescentCore malware designed to evade antivirus

A fake Flash Player trojan malware is targeting Macs with a design that allows it to evade antivirus solutions. 

Dubbed OSX/CrescentCore, Intego researchers spotted the malware in the wild in several places on the web ranging from sketchy copyright-infringing download sites to rogue, high-ranking, non-sponsored Google search results links, according to a June 28th blog post.

Researchers warned Mac users to beware that they can become infected even by seemingly innocuous sources such as Google search results. 

The malware was first observed on a site purporting to share digital copies of new comic books for free — one of many shady sites that flagrantly violates U.S. copyright laws.

OSX/CrescentCore is disguised as Flash Player updates with researchers noting how far off the phony prompts look compared to a legitimate Flash Player update. Chrome users should be especially skeptical since the Chrome browser has its own built-in version of Flash that gets updated automatically.

“As a general rule, nobody should be installing Flash Player in 2019 — not even the real, legitimate one,” researchers said in the post. “Nearly all sites have stopped relying on Flash, as Adobe is discontinuing it; the company plans to no longer release security updates for Flash after 2020.”

The fake Flash Player of course, is delivered as a .dmg disk however, OSX/CrescentCore has some extra capabilities in an effort to make it more difficult for antivirus software to detect, and more difficult for malware analysts to examine and reverse engineer, researchers said.

If the victim is fooled and opens the .dmg disk image and opens the fake Flash Player app, the malware will first check to see whether it is running inside a virtual machine (VM), and if it detects it is, will simply exit and not proceed to do anything further to prevent analysis of its behavior.  

The malware also checks to see whether any popular Mac antivirus programs are installed and will proceed to install a LaunchAgent—a persistent infection with Mac users who aren’t using antivirus software.

“A second variant of this malware is currently under analysis,” the post said. “Depending on the variant, the trojan installer may install rogue software known as "Advanced Mac Cleaner" (OSX/AMC) or install a malicious Safari browser extension.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.