No fewer than six examples of Mac malware were discovered last month, including one which exploits a vulnerability in macOS Gatekeeper. The latest example – dubbed OSX/CrescentCore – takes steps to hide from security researchers.
Security company Intego says it has found CrescentCore on multiple websites, posing as, you guessed it, a Flash Player updater …
The company reported on it in a blog post.
As the company notes, sketchy sites claiming to offer free versions of movies, TV shows, music and books are an extremely common source of malware.
The new malware was first observed linked from a site purporting to share digital copies of new comic books for free—one of many shady sites that flagrantly violates U.S. copyright laws […]
A high-ranking Google search result was also observed redirecting through multiple sites, eventually leading to a page (hosted at any of a large number of domains) with flashy warnings about Adobe Flash Player supposedly needing to be updated—which in reality is a malware distribution site.
How CrescentCore hides from security researchers
CrescentCore takes two steps to hide itself from security researchers.
We’d echo the advice from Intego about Flash.
The OSX/CrescentCore Trojan app also checks to see whether any popular Mac antivirus programs are installed.
If the malware determines that it’s running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.
Once again, the malware is signed by Apple, using developer IDs which have now been reported to the company, but it’s likely that new IDs will be used soon. Apple plays a constant game of whack-a-mole with developer IDs which have been hacked or misused.
Photo: Shutterstock
