New Mac malware in the wild evades security software, researchers

Roger Fingas for AppleInsider:

Newly uncovered Mac malware is not only in the wild, but trying to avoid detection by security researchers, according to one such firm.

Dubbed “CrescentCore,” the malware comes as it usually does —in the form of a DMG file pretending to be an Adobe Flash Player installer, Intego said. If someone launches its contents, the software will check to see if it’s running inside a virtual machine — a way researchers often quarantine their subjects.

The malware also checks for several popular antivirus tools, and if it detects them, will simply stop running. If there’s nothing in the way one version will install “LaunchAgent,” described as a “persistent infection,” while another will install either “Advanced Mac Cleaner” or a Safari extension.

Joshua Long for Intego:

The team at Intego has observed OSX/CrescentCore in the wild being distributed via numerous sites. Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.

The new malware was first observed linked from a site purporting to share digital copies of new comic books for free—one of many shady sites that flagrantly violates U.S. copyright laws.

Potentially harmful download links are commonly found on digital piracy sites that claim to offer download links for cracked copies of software, popular movies, and other copyrighted content that cannot be legally obtained for free. It is quite common for links on such sites to send users to malware, scams, or both.

MacDailyNews Take: Don’t steal software.

Here’s our usual oft-repeated reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the installation of applications (Trojans) from untrusted sources. No OS can protect users from themselves (or we wouldn’t be able to install any software). Those who grant attackers access to their Macs, should not be surprised to find their Macs are compromised.

This article was originally posted here