Security research firm Intego discovered the latest Mac malware OSX/CrescentCore, and the malware is still disguised as a Flash player update. In order to attract users to download and run OSX/CrescentCore, websites containing OSX/CrescentCore will claim to offer free movies, TV shows, music and e-books to attract users.
Unlike other malware, OSX/CrescentCore also has mechanisms to prevent it from being discovered by security researchers. After running, OSX/CrescentCore will automatically detect whether it is in the virtual machine and whether anti-virus software is installed on the computer.
“If a user opens the .dmg disk image and opens the Player app (which has a Flash Player icon), the Trojan horse will first check to see whether it is running inside a virtual machine (VM). Malware analysts often examine malware inside a VM to avoid unintentionally infecting their own computers while working with dangerous files, so malware authors sometimes implement VM detection and behave differently to make it more difficult to analyze the malware’s behavior.
The OSX/CrescentCore Trojan app also checks to see whether any popular Mac antivirus programs are installed.
If the malware determines that it’s running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.”
It is already 2019. It is recommended that you do not install the Flash player under any circumstances. Almost all popular websites have stopped relying on Flash. Adobe also announced that it will stop releasing Flash security updates after 2020. The OSX/CrescentCore malware uses the Apple Developer ID signature, and I believe that Apple will disable this developer ID in the near future.