CrescentCore Mac Malware Outsmarts Apple: What to Do

There's yet another piece of Mac malware able to outsmart Apple's security protections. 

The latest discovery, announced in a blog post Friday by Intego and called OSX/CrescentCore, has been found on several websites, including a sketchy comic-book-download site. Intego warned users of "seemingly innocuous" Google search results that could lead to the malware. 

CrescentCore is a Trojan horse: It looks like an Adobe Flash Player installer or updater. But it can evade both your antivirus software and Apple's built-in protections, and also can make it difficult for malware analysts to spot it running on  a virtual machine. 

To avoid infection by CrescentCore, don't install software from dubious sources, especially those that want you to install Flash Player or another piece of software to view content. You should also be running Mac antivirus software and update the OS, browsers and browser extensions as soon as security patches are released.

MORE: Apple Macs Have a Huge Security Flaw and There's No Fix

OSX/CrescentCore is just one of several Mac security threats uncovered in the past month.  Intego, which recently revealed two other Mac malware strains, OSX/Linker and OSX/New Tab, calls CrescentCore "the next generation of fake Flash Player malware."

The versions Intego found were signed with Apple-trusted developer certificates, which let CrescentCore slide right past the macOS Gatekeeper program. The abused certificates have been reported to Apple. 

According to Intego's blog post, the CrescentCore malware scans Macs for several popular antivirus tools, and if it detects them, will simply stop running. It will also shut down if it thinks it's running on a virtual machine -- a computer OS running inside another computer OS -- rather than on an actual Mac. 

But if neither of these conditions are true and there's nothing blocking CrescentCore, then one version of the malware installs "LaunchAgent," described as a "persistent infection," while another installs either "Advanced Mac Cleaner" or a Safari extension.

"As a general rule, nobody should be installing Flash Player in 2019 — not even the real, legitimate one," Intego said in the post. 

Adobe is ending all development and distribution of Flash Player by the end of 2020. The Flash Player plugin has been disabled by default on Macs since 2016's macOS 10.12 Sierra. In other words, don't download anything that even resembles Flash Player, especially if you're not running an antivirus program on your computer.

The OSX/CrescentCore announcement comes just after Intego unmasked OSX/Linker, a piece of malicious software that attempts to hijack control of your system, turn it into a cryptocurrency miner, draft it into a botnet, and leverage it for personal information. 

The malware, which was disclosed by researcher Filippo Cavallarin last month, works by loading installers from a network-shared disk, which is outside Gatekeeper's domain.

Earlier this month, another zero-day vulnerability was discovered (and subsequently patched) by Mozilla. It was a Firefox flaw on all platforms, but was exploited to attack cryptocurrency traders using Macs. 

The recent discoveries are a warning that more and more malware creators are taking the time to develop malware for macOS, a platform once assumed to have too small a market share to be worth attacking. 

And again, Flash = bad.

Image credit: Flying Object/Shutterstock

macOS Guide