Latest Mac malware in the wild evades security software, researchers
Newly uncovered Mac malware is not only in the wild, but trying to avoid detection by security researchers, according to one such firm.
Dubbed "CrescentCore," the malware comes as it usually does -- in the form of a DMG file pretending to be an Adobe Flash Player installer, Intego said. If someone launches its contents, the software will check to see if it's running inside a virtual machine -- a way researchers often quarantine their subjects.
The malware also checks for several popular antivirus tools, and if it detects them, will simply stop running. If there's nothing in the way one version will install "LaunchAgent," described as a "persistent infection," while another will install either "Advanced Mac Cleaner" or a Safari extension.
CrescentCore can be found on multiple websites, including one claiming to offer free downloads of new comic books, Intego warned. Another is said to be "a high-ranking Google search result" that redirects visitors through multiple websites, ultimately trying to trick people into a fake Flash update.
"As a general rule, nobody should be installing Flash Player in 2019 -- not even the real, legitimate one," Intego commented. HTML5 and other technologies have made Flash obsolete, and Adobe itself is ending development and distribution of Flash Player by the end of 2020. The plugin was disabled by default in 2016's macOS Sierra, and has never been available in iOS.
For years Flash has been a common vector for security threats, leading Mac, Windows, and Web developers to drift away.
CrescentCore is signed with multiple developer IDs registered to a "Sanela Lovic," which Apple has already disabled. Intego's own antivirus software is already scrubbing the code.
Dubbed "CrescentCore," the malware comes as it usually does -- in the form of a DMG file pretending to be an Adobe Flash Player installer, Intego said. If someone launches its contents, the software will check to see if it's running inside a virtual machine -- a way researchers often quarantine their subjects.
The malware also checks for several popular antivirus tools, and if it detects them, will simply stop running. If there's nothing in the way one version will install "LaunchAgent," described as a "persistent infection," while another will install either "Advanced Mac Cleaner" or a Safari extension.
CrescentCore can be found on multiple websites, including one claiming to offer free downloads of new comic books, Intego warned. Another is said to be "a high-ranking Google search result" that redirects visitors through multiple websites, ultimately trying to trick people into a fake Flash update.
"As a general rule, nobody should be installing Flash Player in 2019 -- not even the real, legitimate one," Intego commented. HTML5 and other technologies have made Flash obsolete, and Adobe itself is ending development and distribution of Flash Player by the end of 2020. The plugin was disabled by default in 2016's macOS Sierra, and has never been available in iOS.
For years Flash has been a common vector for security threats, leading Mac, Windows, and Web developers to drift away.
CrescentCore is signed with multiple developer IDs registered to a "Sanela Lovic," which Apple has already disabled. Intego's own antivirus software is already scrubbing the code.
Comments
BTW, the reason I come across those website is I am doing research on a topic and i go to the some website and they are still using Flash for what every the reason, many time I seeing it on University website. As it was pointed out Google will put them at the top of the list. along with websites which whole reason to exist is to get you to install malware on your computer.
https://safebrowsing.google.com/
I can only guess that their thought process might be to think that if anyone is still using Flash on their Mac, they have to be stupid enough to be asking for it.
a) expend a lot of effort to craft a trojan that will run on 80% of the targets and have a 1% chance of successful infection.
OR
b) expend relatively little effort to craft a trojan that will run on 1% of the targets and have an 80% chance of successful infection.
In both cases the infected population is 0.8% but (b) was a lot less work.
(.NET dev here)
From the source article:
"Regarding the aforementioned rogue Google search result link, the redirection through multiple pages is accomplished through various methods. One page in the redirection chain was caught using obfuscated JavaScript code to conceal the fact that it was a redirector script."
Yeah sounds exactly like Google was purposely directing you to malware via that single search result.
They've already started and demonetizing Youtube videos of anyone who disagrees with them. They've already changed search results to fit their agenda.
Can't find the leaked video where they're panicking about 2020 elections.
Edit: Nevermind it's in this video.
Some kids are easily fooled and click on the fake download buttons or install apps that promise to "speed up" their mac. Kids don't usually realise that a piece of software is not going to be able to upgrade the speed of their mac, and many kids and adults alike are yet to realise that nothing is truly free either.