![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-CrescentCore-logo-600x400.png\"){kind=logo}
<\/p>\n<\/p>\n
Meet OSX\/CrescentCore<\/strong>, the next generation of fake Flash Player malware\u2014now redesigned to evade antivirus detection.<\/p>\n Hot on the heels of Intego’s discovery of OSX\/Linker<\/a> and being the first to detect OSX\/NewTab<\/a>, the Intego team has discovered in the wild another previously unknown bit of malware that installs other unwanted software. The new malware only installs other software if you’re not running third-party endpoint protection software, and only if your operating system isn’t running inside a virtual machine.<\/p>\n Intego has observed this malware in multiple places across the Web, from sketchy copyright-infringing download sites to rogue, high-ranking, non-sponsored Google search results links.<\/p>\n Intego customers are protected<\/strong> from OSX\/CrescentCore<\/strong> and the many other Mac malware threats discovered in June.<\/p>\n Continue reading to learn more, including:<\/p>\n However, unlike the typical, everyday, fake Flash Player updater,\u00a0OSX\/CrescentCore<\/strong>\u00a0has some extra capabilities in an effort to make it more difficult for antivirus software to detect, and more difficult for malware analysts to examine and reverse engineer.<\/p>\n OSX\/CrescentCore’s initial stage is a Trojan horse designed to look like a Flash installer.<\/p><\/div>\n If a user opens the .dmg disk image and opens the Player app (which has a Flash Player icon), the Trojan horse will first check to see whether it is running inside a virtual machine (VM). Malware analysts often examine malware inside a VM to avoid unintentionally infecting their own computers while working with dangerous files, so malware authors sometimes implement VM detection and behave differently to make it more difficult to analyze the malware’s behavior.<\/p>\n The OSX\/CrescentCore<\/strong> Trojan app also checks to see whether any popular Mac antivirus programs are installed.<\/p>\n If the malware determines that it’s running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.<\/p>\n For Mac users without antivirus software, however, the Trojan will proceed to install a LaunchAgent\u2014a persistent infection.<\/p>\n A second variant of this malware is currently under analysis. Depending on the variant, the Trojan installer may install rogue software known as “Advanced Mac Cleaner” (OSX\/AMC<\/strong>) or\u00a0install a malicious Safari browser extension.<\/a><\/p>\n The team at Intego has observed OSX\/CrescentCore<\/strong>\u00a0in the wild being distributed via numerous sites. Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.<\/p>\n The new malware was first observed linked from a site purporting to share digital copies of new comic books for free\u2014one of many shady sites that flagrantly violates U.S. copyright laws.<\/p>\n Digital piracy sites are often laden with malicious links that lead to malware.<\/p><\/div>\n Potentially harmful download links are commonly found on digital piracy sites that claim to offer download links for cracked copies of software, popular movies, and other copyrighted content that cannot be legally obtained for free. It is quite common for links on such sites to send users to malware, scams, or both.<\/p>\n A high-ranking Google search result was also observed redirecting through multiple sites, eventually leading to a page (hosted at any of a large number of domains) with flashy warnings about Adobe Flash Player supposedly needing to be updated\u2014which in reality is a malware distribution site that offers variants of either the new OSX\/CrescentCore<\/strong> malware or\u00a0OSX\/Shlayer<\/strong>, both of which are disguised as Flash Player updaters (Intego first discovered OSX\/Shlayer<\/a> in February 2018).<\/p>\n A fraudulent site distributing OSX\/CrescentCore, disguised as Flash Player.<\/p><\/div>\n You will never<\/em> see a legitimate Flash Player update that looks similar to this in your browser\u2014especially if you’re using Google Chrome, which has its own built-in version of Flash that gets updated automatically whenever the browser updates itself.<\/p>\n As a general rule, nobody should be installing Flash Player in 2019\u2014not even the real, legitimate one. Nearly all sites have stopped relying on Flash, as Adobe is discontinuing it; the company plans to\u00a0no longer release security updates<\/a> for Flash after 2020. Of course, the majority of casual Internet users aren’t aware of these facts, and malware makers love to prey on users’ lack of awareness.<\/p>\n See also our article about\u00a0how to tell if an Adobe Flash Player update is legitimate<\/a>.<\/p>\n Regarding the aforementioned rogue Google search result link, the redirection through multiple pages is accomplished through various methods. One page in the redirection chain was caught using obfuscated JavaScript code to conceal the fact that it was a redirector script.<\/p>\n Obfuscated JavaScript redirect code leading to an OSX\/CrescentCore fake alert page<\/p><\/div>\n The complex-looking obfuscation above uses a lot of simple substitution, so with a bit of patience one can simplify the code by hand, and voil\u00e0.<\/p>\n Now that it is more human-readable, we can learn that the script essentially tells the page to load a redirection script from a remote site.<\/p>\n Why such complicated JavaScript code? The developer may have been trying to hide the code from anti-malware products, or may have been attempting to mask its purpose from anyone savvy enough to view a page’s source code but lacking the skill or desire to decipher the jumbled JavaScript.<\/a><\/p>\n Users of Intego VirusBarrier X9 (part of Intego’s\u00a0Mac Premium Bundle X9<\/a> suite)\u00a0will be notified if a related file is found on their Mac; it will be detected as\u00a0OSX\/CrescentCore<\/strong>.<\/p>\n If you aren’t a VirusBarrier X9 user<\/strong>\u00a0yet, and if you think your Mac might be infected, you can scan your Mac with VirusBarrier Scanner<\/a> (available for free<\/a> on the Mac App Store) to check for any infections. After you scan your Mac, your best bet to prevent future infections is to get VirusBarrier X9<\/a>, which includes real-time scanning<\/a> functionality\u2014a critical feature to block malware before it can harm your Mac.<\/a><\/p>\n Mac malware developers are actively becoming more clever, attempting to make it harder to detect the malicious nature of their software. As we learned with\u00a0OSX\/Linker<\/strong>, makers of Mac malware are also\u00a0experimenting with new ways of bypassing Apple’s built-in protection mechanisms, even attempting to use zero-day vulnerabilities to do so.<\/p>\n As we mentioned recently, it’s sadly untrue<\/a> that Macs are somehow inherently safer than Windows PCs. Within the past month alone, there have been several new Mac malware campaigns<\/a> aside from Intego’s discoveries of\u00a0OSX\/CrescentCore<\/strong>\u00a0and\u00a0OSX\/Linker<\/strong>, including\u00a0OSX\/NewTab<\/strong>\u00a0(which Intego was the first to detect), OSX\/Netwire<\/strong> and OSX\/Mokes<\/strong>\u00a0(backdoors that spread via a Firefox zero-day vulnerability), OSX\/LoudMiner<\/strong> aka OSX\/BirdMiner<\/strong> (cryptocurrency miners that try to evade detection by running inside a virtualized operating system).<\/p>\n That’s just some of the malware observed in this single month; there are lots more variants discovered behind the scenes each week that don’t get their own writeup or press coverage.<\/p>\n Mac malware isn’t slowing down. Mac users, therefore, would be wise to take steps to actively protect themselves from malware threats.<\/a><\/p>\n The company that created this new malware identifies itself as simply “Lights.”<\/p>\n “Copyright \u00a9 2019 Lights” and “Copyright \u00a9 2019 com.lights.oblivion” are how the malware company identifies itself.<\/p><\/div>\n The malware is signed using multiple Apple Developer IDs registered to someone supposedly named Sanela Lovic (which may or may not be the developer’s real name); known identifiers so far include 5UA7HW48Y7 and D4AYX8GHJS.<\/p>\n Sanela Lovic, a developer at Lights, uses multiple Apple Developer IDs to sign OSX\/CrescentCore malware.<\/p><\/div>\n There are indications that the name or username of one of the developers may be Mehdi or mehdira.<\/a><\/p>\n Any code signed by a developer named Sanela Lovic, regardless of the exact identifier string, should be considered suspicious. So far, Intego has specifically observed Sanela Lovic (5UA7HW48Y7)<\/a> and\u00a0Sanela Lovic (D4AYX8GHJS)<\/a>\u00a0being used to sign malware found in the wild. (A VirusTotal account is required to access these links.) Both of these Developer IDs have been reported to Apple and will likely be disabled soon, so the developer will likely begin to distribute malware under new Apple Developer IDs which may or may not include the name Sanela Lovic.<\/p>\n Samples observed to date have been downloaded to the user’s Downloads folder with the file name An infected system may also contain folders or files with the following names:<\/p>\n All of these\u00a0OSX\/CrescentCore<\/strong>\u00a0samples are detected and eradicated by Intego VirusBarrier.<\/p>\n A variant of this malware is currently being analyzed. This article may be updated as further information becomes available.<\/a><\/p>\n We talked about OSX\/CrescentCore<\/strong>\u00a0on episode 89<\/a> of the Intego Mac Podcast.<\/p>\n\n
What does OSX\/CrescentCore do? What makes it unique?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon-150x150.png\"){kind=icon}
OSX\/CrescentCore<\/strong> is delivered as a Trojan horse application on a .dmg disk image, masquerading as an Adobe Flash Player installer.<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-CrescentCore-disk-image-mounted-1024x1024.png\")
Is this malware in the wild? How does it spread?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-CrescentCore-pirated-comics-infection-vector.png\")
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-CrescentCore-fake-Adobe-Flash-Player-distribution-site.png\")
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/Obfuscated-JavaScript-redirector.png\")
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/Less-Obfuscated-JavaScript-redirector.png\")
<\/p>\nIs my Mac infected?<\/h3>\n
What should Mac users learn from this?<\/h3>\n
Who created OSX\/CrescentCore?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-CrescentCore-Lights.png\")
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-CrescentCore-Sanela-Lovic.png\")
Indicators of compromise<\/h3>\n
Player.dmg<\/code> (note that if multiple copies are present, the name could appear as Player #.dmg<\/code> or Player (#).dmg<\/code> where #<\/code> is a numeral such as 1 or 2). Example SHA-256 hashes for infected .dmg files:<\/p>\n638004ee6a45903dcbf03d03e31d2e83c6270377973a64188f0b89d4062f321e<\/code>
\n45eab9f25158b677877a447b052f024c44c80744bcfae59deb660c47a9cbf1ac<\/code>
\nb111891b698dfdafb6952b0cf89aaebde51c5c1758df316e6b843624ed2db205<\/code>
\n8938e48a0b0f8765a017d2e25ed5a68bd7954d220e460c5aa4b1c59763ec5a8d<\/code><\/p><\/blockquote>\n\/Library\/com.apple.spotlight.Core<\/code>
\n\/Library\/Application Support\/com.apple.spotlight.Core<\/code>
\n\/Library\/LaunchAgents\/com.google.keystone.plist<\/code>
\ncom.player.lights.extensions.appex<\/code><\/p><\/blockquote>\nHow can I learn more?<\/h3>\n