Latest Mac malware OSX/CrescentCore hides from security software

The latest Mac malware OSX/CrescentCore  trying to avoid detection by security researchers, according to security company Intego.

The company  says it has found CrescentCore on multiple websites, including one claiming to offer free downloads of new comic books.

Dubbed “CrescentCore,” the malware comes as it usually does —in the form of a DMG file pretending to be an Adobe Flash Player installer. If a user opens the .dmg disk image and opens the Player app, the malware will first check to see whether it is running inside a virtual machine.

The malware also checks to see whether any popular Mac antivirus programs are installed. If the malware determines that it’s running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.

If there’s nothing in the way one version will install “LaunchAgent,” described as a “persistent infection,” while another will install either “Advanced Mac Cleaner” or a Safari extension.

“Nobody should be installing Flash Player in 2019—not even the real, legitimate one. Nearly all sites have stopped relying on Flash, as Adobe is discontinuing it; the company plans to no longer release security updates for Flash after 2020.” Intego commented.

CrescentCore is signed with multiple developer IDs registered to a “Sanela Lovic,” which Apple has already disabled. Intego’s own antivirus software is already scrubbing the code.