Latest Mac malware in the wild evades security software, researchers

Posted:
in macOS
Newly uncovered Mac malware is not only in the wild, but trying to avoid detection by security researchers, according to one such firm.

CrescentCore


Dubbed "CrescentCore," the malware comes as it usually does -- in the form of a DMG file pretending to be an Adobe Flash Player installer, Intego said. If someone launches its contents, the software will check to see if it's running inside a virtual machine -- a way researchers often quarantine their subjects.

The malware also checks for several popular antivirus tools, and if it detects them, will simply stop running. If there's nothing in the way one version will install "LaunchAgent," described as a "persistent infection," while another will install either "Advanced Mac Cleaner" or a Safari extension.

CrescentCore can be found on multiple websites, including one claiming to offer free downloads of new comic books, Intego warned. Another is said to be "a high-ranking Google search result" that redirects visitors through multiple websites, ultimately trying to trick people into a fake Flash update.

"As a general rule, nobody should be installing Flash Player in 2019 -- not even the real, legitimate one," Intego commented. HTML5 and other technologies have made Flash obsolete, and Adobe itself is ending development and distribution of Flash Player by the end of 2020. The plugin was disabled by default in 2016's macOS Sierra, and has never been available in iOS.

For years Flash has been a common vector for security threats, leading Mac, Windows, and Web developers to drift away.

CrescentCore is signed with multiple developer IDs registered to a "Sanela Lovic," which Apple has already disabled. Intego's own antivirus software is already scrubbing the code.

Comments

  • Reply 1 of 19
    maestro64maestro64 Posts: 4,643member
    Not that I ever install any App that does not originate from the original source. However, their are still lots of stupid website still using flash. I see it more often than not where I get the Adobe Flash icon being disable on a website and get the message asking if I want to enable it for just this site. There are website which sill have not gotten the message HTML5 solves the problem. There are also website which still rely on MS .NET and Active X. 

    BTW, the reason I come across those website is I am doing research on a topic and i go to the some website and they are still using Flash for what every the reason, many time I seeing it on University website. As it was pointed out Google will put them at the top of the list. along with websites which whole reason to exist is to get you to install malware on your computer.  
  • Reply 2 of 19
    gatorguygatorguy Posts: 20,928member
    maestro64 said:As it was pointed out Google will put them at the top of the list. along with websites which whole reason to exist is to get you to install malware on your computer.  
    ...If not for Google blocking your access to sites with known malware, forcing you to click thru the warnings and visit the site anyway. Perhaps you shouldn't do that.
     https://safebrowsing.google.com/
  • Reply 3 of 19
    bloggerblogbloggerblog Posts: 1,863member
    The malware also checks for several popular antivirus tools, and if it detects them, will simply stop running. 
    Nothing suspicious here 
  • Reply 4 of 19
    MacProMacPro Posts: 18,359member
    Seriously, they picked Flash installer as a Trojan Horse for Mac users?  They must be looking for the least Mac savvy users out there I guess.  
    cornchip
  • Reply 5 of 19
    At this point, Apple should prevent Flash or anything claiming to be Flash from installing. Flash is toxic even if it is the real thing. It has been removed from my computers for years and has ceased to be an issue. Ad blockers also prevent many attack vectors via javascript.
    lostkiwiAppleExposed
  • Reply 6 of 19
    sflocalsflocal Posts: 4,685member
    MacPro said:
    Seriously, they picked Flash installer as a Trojan Horse for Mac users?  They must be looking for the least Mac savvy users out there I guess.  
    I find it odd that virus writers have a decent level of technical ability to code and distribute a payload, yet they are dumber than dirt when it comes to masking that payload as a Flash file.  It just seems odd.

    I can only guess that their thought process might be to think that if anyone is still using Flash on their Mac, they have to be stupid enough to be asking for it.
  • Reply 7 of 19
    sflocal said:
    MacPro said:
    Seriously, they picked Flash installer as a Trojan Horse for Mac users?  They must be looking for the least Mac savvy users out there I guess.  
    I find it odd that virus writers have a decent level of technical ability to code and distribute a payload, yet they are dumber than dirt when it comes to masking that payload as a Flash file.  It just seems odd.

    I can only guess that their thought process might be to think that if anyone is still using Flash on their Mac, they have to be stupid enough to be asking for it.
    Why would you find that odd?  If you're a virus designer, who would you rather target?  The tech savvy user who has a greater chance of resisting, mitigating if infected, and reporting the issue.  The tech illiterate who still responds to random requests to update software.  The latter is more likely to fall for the virus install, less likely to know how to mitigate the infection, and not likely to report the issue to anyone.  Flash as a vector is a shotgun approach. Shoot as many unsuspecting victims as possible.  As of May 2019 ~17% of Macs were still running El Cap or older.  Flash would not be such an anomaly on those machines.
    dysamoria
  • Reply 8 of 19
    rotateleftbyterotateleftbyte Posts: 1,150member
    When I bought a new MBP in 2015 I decided that I was done with Flash. I've resisted attempts by many sites to get me to install Flash.
    Yet there are still some out there that ONLY work with Flash installed.  I hope Adobe just blocks it from working anywhere very soon.

    Flash is evil and needs to die today.
    minicoffee
  • Reply 9 of 19
    MacPro said:
    Seriously, they picked Flash installer as a Trojan Horse for Mac users?  They must be looking for the least Mac savvy users out there I guess.  
    You can:

    a) expend a lot of effort to craft a trojan that will run on 80% of the targets and have a 1% chance of successful infection.
    OR
    b) expend relatively little effort to craft a trojan that will run on 1% of the targets and have an 80% chance of successful infection.

    In both cases the infected population is 0.8% but (b) was a lot less work. 
    gatorguycornchipdysamoriaFileMakerFeller
  • Reply 10 of 19
    cornchipcornchip Posts: 1,365member
    and this malware does what exactly?
    dysamoria
  • Reply 11 of 19
    gatorguygatorguy Posts: 20,928member
    cornchip said:
    and this malware does what exactly?
    Apparently it acts as a doorway for 3rd party downloads of PUP's and outright infections. 
  • Reply 12 of 19
    maestro64maestro64 Posts: 4,643member
    gatorguy said:
    maestro64 said:As it was pointed out Google will put them at the top of the list. along with websites which whole reason to exist is to get you to install malware on your computer.  
    ...If not for Google blocking your access to sites with known malware, forcing you to click thru the warnings and visit the site anyway. Perhaps you shouldn't do that.
     https://safebrowsing.google.com/
    but google plans to block content they do not politically agree with, but they will promote site which only exist to rip people off. Yep keep sticking up for Google 
    lkruppAppleExposed
  • Reply 13 of 19
    StrangeDaysStrangeDays Posts: 8,304member
    maestro64 said:
    Not that I ever install any App that does not originate from the original source. However, their are still lots of stupid website still using flash. I see it more often than not where I get the Adobe Flash icon being disable on a website and get the message asking if I want to enable it for just this site. There are website which sill have not gotten the message HTML5 solves the problem. There are also website which still rely on MS .NET and Active X. 

    BTW, the reason I come across those website is I am doing research on a topic and i go to the some website and they are still using Flash for what every the reason, many time I seeing it on University website. As it was pointed out Google will put them at the top of the list. along with websites which whole reason to exist is to get you to install malware on your computer.  
    Point of correction — .NET is not web client or public facing technology. It is not ActiveX. A website may be written in ASP.NET on the backend but it still renders into HTML and JavaScript when served to a web client just like any other website. 

    (.NET dev here)
    macplusplus
  • Reply 14 of 19
    fastasleepfastasleep Posts: 3,109member
    sflocal said:
    MacPro said:
    Seriously, they picked Flash installer as a Trojan Horse for Mac users?  They must be looking for the least Mac savvy users out there I guess.  
    I find it odd that virus writers have a decent level of technical ability to code and distribute a payload, yet they are dumber than dirt when it comes to masking that payload as a Flash file.  It just seems odd.

    I can only guess that their thought process might be to think that if anyone is still using Flash on their Mac, they have to be stupid enough to be asking for it.
    It’s exceedingly common when removing malware from peoples’ Macs to find out they thought they ran a Flash update. Or, sometimes it’s a purported video codec. Either way, it often shows up as a modal dialog that looks nearly identical to other macOS modals. People have no idea why they should or shouldn’t need to run the (fake) update, and in many cases whether they even had Flash installed to begin with. I deal with this frequently. Most users don’t understand how any of this works. 
    StrangeDays
  • Reply 15 of 19
    gatorguygatorguy Posts: 20,928member
    maestro64 said:
    gatorguy said:
    maestro64 said:As it was pointed out Google will put them at the top of the list. along with websites which whole reason to exist is to get you to install malware on your computer.  
    ...If not for Google blocking your access to sites with known malware, forcing you to click thru the warnings and visit the site anyway. Perhaps you shouldn't do that.
     https://safebrowsing.google.com/
    but google plans to block content they do not politically agree with, but they will promote site which only exist to rip people off. Yep keep sticking up for Google 
    No idea what you're talking about. 

    From the source article:
    "Regarding the aforementioned rogue Google search result link, the redirection through multiple pages is accomplished through various methods. One page in the redirection chain was caught using obfuscated JavaScript code to conceal the fact that it was a redirector script."

    Yeah sounds exactly like Google was purposely directing you to malware via that single search result. 
  • Reply 16 of 19
    AppleExposedAppleExposed Posts: 1,404unconfirmed, member
    maestro64 said:
    gatorguy said:
    maestro64 said:As it was pointed out Google will put them at the top of the list. along with websites which whole reason to exist is to get you to install malware on your computer.  
    ...If not for Google blocking your access to sites with known malware, forcing you to click thru the warnings and visit the site anyway. Perhaps you shouldn't do that.
     https://safebrowsing.google.com/
    but google plans to block content they do not politically agree with, but they will promote site which only exist to rip people off. Yep keep sticking up for Google 
    "Plans"?

    They've already started and demonetizing Youtube videos of anyone who disagrees with them. They've already changed search results to fit their agenda.



    Can't find the leaked video where they're panicking about 2020 elections.
    Edit: Nevermind it's in this video.
    edited July 1
  • Reply 17 of 19
    sflocal said:
    MacPro said:
    Seriously, they picked Flash installer as a Trojan Horse for Mac users?  They must be looking for the least Mac savvy users out there I guess.  
    I find it odd that virus writers have a decent level of technical ability to code and distribute a payload, yet they are dumber than dirt when it comes to masking that payload as a Flash file.  It just seems odd.

    I can only guess that their thought process might be to think that if anyone is still using Flash on their Mac, they have to be stupid enough to be asking for it.
    It's because Adobe still issue flash updates by throwing the user to the download page of their website, where it auto downloads. So if the user isn't particularly savvy or paying much attention then they can be fooled into thinking it's yet another flash update. The people who I see most fall for this: Kids.

    Some kids are easily fooled and click on the fake download buttons or install apps that promise to "speed up" their mac. Kids don't usually realise that a piece of software is not going to be able to upgrade the speed of their mac, and many kids and adults alike are yet to realise that nothing is truly free either.
  • Reply 18 of 19
    cornchip said:
    and this malware does what exactly?
    "Weird Al" Yankovic - Virus Alert - YouTube
  • Reply 19 of 19
    macguimacgui Posts: 1,376member
    The malware also checks for several popular antivirus tools, and if it detects them, will simply stop running. 
    Nothing suspicious here 
    And it makes sense, given it's malware. Anything malware does should be expected to be malevolent, and that's beyond suspicion, it's fact. Especially qhwn that activity isn't seen, it's not suspicious.
Sign In or Register to comment.