Latest Mac Malware Goes to Great Lengths to Avoid Detection and Bypass Security Measures

Recently several active Mac malware has come to the light. The malware has managed to bypass detection and Apple’s security protections. Now, Intego has discovered a new malware dubbed OSX/CrescentCore.

The researchers from Intego found out the malware was downloaded via Google search results and other mainstream sources. As with most of the malware, the payload is wrapped up in a DMG file that mimics Adobe Flash Player. Behind the scenes, the CresentCore is notorious for installing malicious Safari extensions, disc cleaners, and other potentially unwanted software.

Joshua Long, Chief Security Analyst for Mac, Intego said “The team at Intego has observed OSX/CrescentCore in the wild being distributed via numerous sites” he added that “Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.”

Long said that the CrescentCore versions he came across were signed with certificates that belonged to an Apple Trusted developer. With this in place, the CrescentCore would be able to bypass Gatekeeper. The researchers reported the certificate abuse to Apple and as of Friday, the company had revoked one of the certificates.

Now, let us take a glimpse at other techniques used by CresentCore to avoid detection. Once the targets click on the installer, it first checks to see if the program is running in virtual machines or whether anti-virus is blocking it. If this happens then the Trojan will exit and not do further damage.

How to know if your Mac is infected with CresentCore?

You need to follow some simple steps to check for infections. Search for files with Player.dmg or Player 1.dmg (or any number) in the download folder. That apart, the infected Macs may also contain folders with the below names,

  • /Library/com.apple.spotlight.Core
  • /Library/Application Support/com.apple.spotlight.Core
  • /Library/LaunchAgents/com.google.keystone.plist
  • com.player.lights.extensions.appex

It was only recently that OSX/Linker adware had come to the light. As a precaution please don’t download and install software from untrusted sources and in some cases even websites that appear on Google Search. Also, make sure that you update browsers and the device to the latest version. I personally prefer installing software from the Apple App Store and would recommend the same for others. Did you have an encounter with Mac-based malware? Let us know in the comments below. Lastly, steer away from installing Flash or any program requiring the same.

[via ArsTechnica]