June was a busy month for Mac malware with the active circulation of at least six threats, several of which were able to bypass security protections Apple has built into modern versions of its macOS.
The latest discovery was published Friday by Mac antivirus provider Intego, which disclosed malware dubbed OSX/CrescentCore that’s available through Google search results and other mainstream channels. It masquerades as an updater or installer for Adobe’s Flash media player, but it’s in fact just a persistent means for its operators to install malicious Safari extensions, rogue disk cleaners, and potentially other unwanted software.
“The team at Intego has observed OSX/CrescentCore in the wild being distributed via numerous sites,” Intego’s Joshua Long wrote of two separate versions of the malware his company has found. “Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.”
Security evasions
Long said that the CrescentCore versions he observed were signed with certificates belonging to an Apple-trusted developer. That would allow the malware to bypass Gatekeeper, a macOS protection that’s designed to thwart malware by allowing only digitally signed applications to be installed. Both recovered versions of CrescentCore are signed by certificates assigned to a developer using the name Sanela Lovic using certificate fingerprints 5UA7HW48Y7 and D4AYX8GHJS.
Long said he reported the certificate abuse to Apple, but as early Friday afternoon, a tool called WhatsYourSign, developed by Mac security expert Patrick Wardle, showed both signing certificates remained valid. On Friday evening, the tool showed one certificate had been revoked and another remained valid.
CrescentCore uses other techniques to avoid detection and analysis. After targets click on the fake Flash installer/updater, it first checks to see if it’s about to be installed inside a virtual machine or on a Mac that’s running AV software. If either of those possibilities turns out to be true, the trojan will simply exit and not do anything more. Security researchers almost always test suspected malware inside VMs to prevent accidentally infecting trusted work computers.
Mac users who want to check for infections should look for files with the name Player.dmg (or Player #.dmg or Player (#).dmg where # is a numeral such as 1 or 2) downloaded to the Downloads folder. Infected Macs may also contain folders or files with the following names:
- /Library/com.apple.spotlight.Core
- /Library/Application Support/com.apple.spotlight.Core
- /Library/LaunchAgents/com.google.keystone.plist
- com.player.lights.extensions.appex
Friday’s Intego post lists one of at least six macOS threats that have come to light this month. Others include:
-
- A cryptocurrency miner dubbed LoudMiner by ESET and Bird Miner by Malwarebytes, the two firms that independently discovered it. The miners, found in a cracked installer for the high-end music production software Ableton Live, work by emulating Linux.
-
- Malware dubbed OSX/Newtab, which tries to inject tabs into the Safari browser. Some of the file names disguise themselves as government forms or recipe apps. All samples have an identifier of com.NTAppStubInstaller and were digitally signed with the Apple Developer ID cosmina beteringhe (HYC4353YBE).
-
- Backdoors dubbed NetWire and Mokes that were installed in in-the-wild attacks exploiting a pair of potent Firefox zerodays to target people involved with cryptocurrencies. Both backdoors were able to bypass Gatekeeper and were undetected by antivirus engines at the time the attacks went live.
The recent activity is an indication that more and more malware developers are finding it worth their time to create malicious wares for macOS, a platform they largely shunned a decade ago.
As is the case with Windows computers, the best way to protect Macs against malware is to ensure the OS, browsers, and browser extensions are updated as soon as possible after security patches are released. Another key safeguard is to never run a stand-alone version of Flash (the one built into Chrome is generally OK).
https://arstechnica.com/?p=1529441