Threat Database Mac Malware OSX/CrescentCore

OSX/CrescentCore

The OSX/CrescentCore malware is a Trojan that hides inside an Adobe Flash Installer and targets Mac OSX users. The malware attempts to avoid detection by not running if it is inside a VM or if there is a third-party anti-virus software installed on the machine.

A Few Details about the OSX/CrescentCore Malware

There are multiple versions of this malware known by researchers currently. All versions present themselves as a .dmg image file containing a "Player" application. If a user opens the Player application, the malware then checks if it is running inside a virtual machine or whether any third-party anti-virus applications are installed. If it detects one of them, the malware exits without any actions.

If there is no VM or anti-virus detected, the malware then installs threatening software. The versions being studied currently install unwanted Safari browser extensions, something known as a LaunchAgent or applications like "Advanced Mac Cleaner." Advanced Mac Cleaner is a known unwanted application that tries to create or detect fake issues to get the user to pay for a solution they don't require. Unwanted browser extensions can cause pop-ups and advertisements that disrupt your workflow, and all malware can be used to gather information about you or your computer/Internet usage potentially. Some extensions can be used to mine cryptocurrencies, leading to high wear-and-tear and heating issues on your machine's processor and other components.

Versions found in the wild were signed with trusted Apple Developer Certificates, which allow them to pass Apple's built-in protections like Gatekeeper. The certificates found so far have been reported to Apple.

Advice to Mac OSX Users

Although the compromised certificates have been reported and disabled by Apple, the company is unable to prevent abuse of new certificates to distribute malware completely. Be certain of where an application came from doubly before opening it on your machine.

Almost all browsers and OS come packaged with Adobe Flash Player and therefore do not require you to install it manually. Even if you need to do so for any reason, visit https://get.adobe.com/flashplayer/ and check the SSL certificate for validity to ensure that you are downloading the application from the official Adobe website.

What to do if You Run the Threatening “Player” Application Accidentally and Give CrescentCore Access to Your Machine

Typically, the best way to avoid the pain of dealing with (often unsuccessful) malware removal is to make sure you have good anti-virus software that is kept up-to-date on a daily basis as malware is released regularly.

Once infected, there is no guarantee that you will be able to remove everything installed by CrescentCore perfectly but here are some common areas to clean up manually if your anti-virus does not take care of it automatically:

  • LaunchAgents Folder (~/Library/LaunchAgents)
    Open your LaunchAgents Folder and move to Trash any suspicious looking files installed recently. Examples of unsafe file names include:
    - installmac.AppRemoval.plist
    - myppes.download.plist
    Please be careful and Google any filename before you move it to Trash as there are a lot of legitimate files in this folder.
  • Applications
    Check for any applications in your Applications Folder you do not recognize as having installed yourself and move them to Trash. These may include:
    - Advanced Mac Cleaner
    - MplayerX
  • Application Support Folder (~/Library/Application Support)
    Open your Application Support Folder, look for any folders that you do not recognize and move them to Trash. These will usually correspond to Applications installed automatically as mentioned above.
  • Browser Extensions
    Open your browsers, Safari especially, and find the "Extensions" page. Look for any extensions you have not installed yourself and remove them.
    There are many corrupted extensions, and each is usually unique to the browser you use. Just look for anything installed recently that you do not recognize.

Trending

Most Viewed

Loading...