Latest Mac Malware Disguises Itself as Flash Installer, Hides from Security Researchers

A new Mac malware has been discovered in the wild.

Intego researchers have uncovered a new piece of Mac malware called OSX/CrescentCore, and it’s distributed in the form of DMG disk image, masquerading as a Flash Player installer to evade detection.

Intego reported on the malware in a blog post:

The team at Intego has observed OSX/CrescentCore in the wild being distributed via numerous sites. Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.

The new malware was first observed linked from a site purporting to share digital copies of new comic books for free—one of many shady sites that flagrantly violates U.S. copyright laws […]

A high-ranking Google search result was also observed redirecting through multiple sites, eventually leading to a page (hosted at any of a large number of domains) with flashy warnings about Adobe Flash Player supposedly needing to be updated—which in reality is a malware distribution site.

Unlike other malware, OSX/CrescentCore also has mechanisms to prevent it from being discovered by security researchers. After running, OSX/CrescentCore will automatically detect whether it is in the virtual machine and whether anti-virus software is installed on the computer:

If a user opens the .dmg disk image and opens the Player app (which has a Flash Player icon), the Trojan horse will first check to see whether it is running inside a virtual machine (VM). Malware analysts often examine malware inside a VM to avoid unintentionally infecting their own computers while working with dangerous files, so malware authors sometimes implement VM detection and behave differently to make it more difficult to analyze the malware’s behavior.

The OSX/CrescentCore Trojan app also checks to see whether any popular Mac antivirus programs are installed.

If the malware determines that it’s running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.

Intego also suggests that no one should be installing Flash in 2019, advice that we agree with. “Nobody should be installing Flash Player in 2019—not even the real, legitimate one,” reads the blog post. “Nearly all sites have stopped relying on Flash, as Adobe is discontinuing it; the company plans to no longer release security updates for Flash after 2020.”

Unfortunately, the malware is signed by Apple, using hacked developer IDs, which have now been reported to the company.