Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Latest Mac malware in the wild evades security software, researchers

Newly uncovered Mac malware is not only in the wild, but trying to avoid detection by security researchers, according to one such firm.

Dubbed "CrescentCore," the malware comes as it usually does — in the form of a DMG file pretending to be an Adobe Flash Player installer, Intego said. If someone launches its contents, the software will check to see if it's running inside a virtual machine — a way researchers often quarantine their subjects.

The malware also checks for several popular antivirus tools, and if it detects them, will simply stop running. If there's nothing in the way one version will install "LaunchAgent," described as a "persistent infection," while another will install either "Advanced Mac Cleaner" or a Safari extension.

CrescentCore can be found on multiple websites, including one claiming to offer free downloads of new comic books, Intego warned. Another is said to be "a high-ranking Google search result" that redirects visitors through multiple websites, ultimately trying to trick people into a fake Flash update.

"As a general rule, nobody should be installing Flash Player in 2019 — not even the real, legitimate one," Intego commented. HTML5 and other technologies have made Flash obsolete, and Adobe itself is ending development and distribution of Flash Player by the end of 2020. The plugin was disabled by default in 2016's macOS Sierra, and has never been available in iOS.

For years Flash has been a common vector for security threats, leading Mac, Windows, and Web developers to drift away.

CrescentCore is signed with multiple developer IDs registered to a "Sanela Lovic," which Apple has already disabled. Intego's own antivirus software is already scrubbing the code.



19 Comments

maestro64 19 Years · 5029 comments

Not that I ever install any App that does not originate from the original source. However, their are still lots of stupid website still using flash. I see it more often than not where I get the Adobe Flash icon being disable on a website and get the message asking if I want to enable it for just this site. There are website which sill have not gotten the message HTML5 solves the problem. There are also website which still rely on MS .NET and Active X. 

BTW, the reason I come across those website is I am doing research on a topic and i go to the some website and they are still using Flash for what every the reason, many time I seeing it on University website. As it was pointed out Google will put them at the top of the list. along with websites which whole reason to exist is to get you to install malware on your computer.  

gatorguy 13 Years · 24627 comments

maestro64 said:As it was pointed out Google will put them at the top of the list. along with websites which whole reason to exist is to get you to install malware on your computer.  

...If not for Google blocking your access to sites with known malware, forcing you to click thru the warnings and visit the site anyway. Perhaps you shouldn't do that.
 https://safebrowsing.google.com/

bloggerblog 16 Years · 2520 comments

The malware also checks for several popular antivirus tools, and if it detects them, will simply stop running. Nothing suspicious here 

MacPro 18 Years · 19845 comments

Seriously, they picked Flash installer as a Trojan Horse for Mac users?  They must be looking for the least Mac savvy users out there I guess.  

OutdoorAppDeveloper 15 Years · 1292 comments

At this point, Apple should prevent Flash or anything claiming to be Flash from installing. Flash is toxic even if it is the real thing. It has been removed from my computers for years and has ceased to be an issue. Ad blockers also prevent many attack vectors via javascript.