Newly discovered Mac OSX/CrescentCore malware spotted in the wild

• The malware is disguised as Flash Player installer to avoid detection and to be easily installed on a victim’s system.
• The new malware was first observed on a site purporting to share digital copies of new comic books for free.

Intego researchers have uncovered a new piece of Mac malware called OSX/CrescentCore. The malware is distributed in the form of DMG disk image, masquerading as Flash Payer installer, to evade detection by antiviruses.

A sneak peek into the malware

Security researchers at Intego, who are previously responsible for the discovery of OSX/Linker, have found CrescentCore on multiple websites. The malware is disguised as Flash Player installer to avoid detection and to be easily installed on a victim’s system. The new malware was first observed on a site purporting to share digital copies of new comic books for free.

Apart from this, the researchers also noted that, “A high-ranking Google search result was also observed redirecting through multiple sites, eventually leading to a page (hosted at any of a large number of domains) with flashy warnings about Adobe Flash Player supposedly needing to be updated—which in reality is a malware distribution site.”

The sketchy sites that are involved in the distribution of the malware claimed to offer free versions of movies, TV shows, music, and books.

What makes the malware unique?

CrescentCors is delivered as a Trojan horse through a DMG disk image file, masquerading as an Adobe Flash Player updater. If a user opens the DMG disk image file and opens the Player app, the Trojan horse will first check to see whether it is running inside a virtual machine.

“Malware analysts often examine malware inside a VM to avoid unintentionally infecting their own computers while working with dangerous files, so malware authors sometimes implement VM detection and behave differently to make it more difficult to analyze the malware’s behavior,” researchers added.

The OSX/CrescentCore trojan also checks to see whether any popular Mac antivirus programs are installed on a victim’s machine. If it finds an antivirus or running within a VM environment, the malware will simply exit and not proceed further.

A new variant in line

Adding more woes to the situation, Intego researchers have discovered a second variant of OSX/CrescentCore malware. Depending on the variant, the trojan installer may install rogue Advanced Mac Cleaner’ software or a malicious Safari browser extension onto the victim’s machine. Both the versions of CrescentCore are signed by certificates assigned to a developer named Sanela Lovic.