June was a busy month for Mac malware with the active circulation of at least six threats, several of which were able to bypass security protections Apple has built into modern versions of its macOS.
The latest discovery was published Friday by Mac antivirus provider Intego, which disclosed malware dubbed OSX/CrescentCore that's available through Google search results and other mainstream channels. It masquerades as an updater or installer for Adobes Flash media player, but it's in fact just a persistent means for its operators to install malicious Safari extensions, rogue disk cleaners, and potentially other unwanted software.
“The team at Intego has observed OSX/CrescentCore in the wild being distributed via numerous sites,” Integos Joshua Long wrote of two separate versions of the malware his company has found. “Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.”
Security evasions
Long said that the CrescentCore versions he observed were signed with certificates belonging to an Apple-trusted developer. That would allow the malware to bypass Gatekeeper, a macOS protection thats designed to thwart malware by allowing only digitally signed applications to be installed. Both recovered versions of CrescentCore are signed by certificates assigned to a developer using the name Sanela Lovic using certificate fingerprints 5UA7HW48Y7 and D4AYX8GHJS.
Long said he reported the certificate abuse to Apple, but as early Friday afternoon, a tool called WhatsYourSign, developed by Mac security expert Patrick Wardle, showed both signing certificates remained valid. On Friday evening, the tool showed one certificate had been revoked and another remained valid.
CrescentCore uses other techniques to avoid detection and analysis. After targets click on the fake Flash installer/updater, it first checks to see if its about to be installed inside a virtual machine or on a Mac thats running AV software. If either of those possibilities turns out to be true, the trojan will simply exit and not do anything more. Security researchers almost always test suspected malware inside VMs to prevent accidentally infecting trusted work computers.
Mac users who want to check for infections should look for files with the name Player.dmg (or Player #.dmg or Player (#).dmg where # is a numeral such as 1 or 2) downloaded to the Downloads folder. Infected Macs may also contain folders or files with the following names:
- /Library/com.apple.spotlight.Core
- /Library/Application Support/com.apple.spotlight.Core
- /Library/LaunchAgents/com.google.keystone.plist
- com.player.lights.extensions.appex
Fridays Intego post lists one of at least six macOS threats that have come to light this month. Others include:
- OSX/Linker, a Mac malware family that exploits a zero-day vulnerability in Gatekeeper so that it can install unsigned malware. The exploit technique, which was disclosed by researcher Filippo Cavallarin last month, works by loading installers from a network-shared disk, which is off limits to Gatekeeper.
- A cryptocurrency miner dubbed LoudMiner by ESET and Bird Miner by Malwarebytes, the two firms that independently discovered it. The miners, found in a cracked installer for the high-end music production software Ableton Live, work by emulating Linux.
- Malware dubbed OSX/Newtab, which Read More – Source [contf] [contfnew]
Ars Technica
[contfnewc] [contfnewc]
- Malware dubbed OSX/Newtab, which Read More – Source [contf] [contfnew]
