In-the-wild Mac malware kept busy in June - [security]
07:53 AM EDT - Jun,30 2019 - post a comment
June was a busy month for Mac malware with the active circulation of at least six threats, several of which were able to bypass security protections Apple has built into modern versions of its macOS. The latest discovery was published Friday by Mac antivirus provider Intego
, which disclosed malware dubbed OSX/CrescentCore that's available through Google search results and other mainstream channels. It masquerades as an updater or installer for Adobe's Flash media player, but it's in fact just a persistent means for its operators to install malicious Safari extensions, rogue disk cleaners, and potentially other unwanted software.
OSX/CrescentCore is delivered as a Trojan horse application on a .dmg disk image, masquerading as an Adobe Flash Player installer.
However, unlike the typical, everyday, fake Flash Player updater, OSX/CrescentCore has some extra capabilities in an effort to make it more difficult for antivirus software to detect, and more difficult for malware analysts to examine and reverse engineer.
If a user opens the .dmg disk image and opens the Player app (which has a Flash Player icon), the Trojan horse will first check to see whether it is running inside a virtual machine (VM). Malware analysts often examine malware inside a VM to avoid unintentionally infecting their own computers while working with dangerous files, so malware authors sometimes implement VM detection and behave differently to make it more difficult to analyze the malware's behavior.
The OSX/CrescentCore Trojan app also checks to see whether any popular Mac antivirus programs are installed.
If the malware determines that it's running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.
For Mac users without antivirus software, however, the Trojan will proceed to install a LaunchAgent-a persistent infection.
A second variant of this malware is currently under analysis. Depending on the variant, the Trojan installer may install rogue software known as "Advanced Mac Cleaner" (OSX/AMC) or install a malicious Safari browser extension.