Mac Malware Pushed via Google Search Results, Masquerades as Flash Installer (Jul 2, 2019)
Intego researcher Joshua Long, has identified a new form of macOS-specific trojan, dubbed “OSX/CrescentCore,” infecting users in the wild. The malware is distributed on websites that impersonate Adobe Flash Player installers, some which users are redirected to via “high-ranking Google search results.” The malicious installers is actually an Apple disk image (.dmg) that will download the malware. Interestingly, different variants of OSX/Crescent were found to be capable of dropping Potentially Unwanted Programs (PUPs) such as Advanced Mac Cleaner and a malicious versions of the Safari web browser. The malware will install a LaunchAgent for additional persistence. As this writing, it is unclear what the objective is behind this malware, and it may be possible that actors are in the testing phase for a different malicious campaign.
Recommendation: Your company should have appropriate antivirus, anti-spam, and policies in place that will prevent your employees from visiting potentially malicious websites. Education is also a great mitigation technique that can assist your company in awareness of the risks posed by visiting less reputable online locations. In addition, any website that requests software needs to be download is possible indicator of malicious activity. Furthermore, the end of life date for Adobe Flash Player is the end of 2020, thus, actors may look for differently-themed lures once the usage of Flash Player decreases.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.