CrescentCore
Another malware that disguise itself as Adboe Flash Player installer. Appon installation, the malware will first check if its running within a Virtual Machine, it addition it will check whether any common Mac antivirus is installed, if so, it will exit installation. It uses 2 configuration files virtualmachines.json
and antivirus.json
that will be used to check to which VM / AV engines to look for.
Source: Intego
CrescentCore malware that was signed with multiple Apple Developer Ids, spreads in couple of websites by offering free digital piracy content such as free dc comics:
Source: Intego
Source: Intego
Source: CheckPoint
Links:
Samples:
638004ee6a45903dcbf03d03e31d2e83c6270377973a64188f0b89d4062f321e
45eab9f25158b677877a447b052f024c44c80744bcfae59deb660c47a9cbf1ac
b111891b698dfdafb6952b0cf89aaebde51c5c1758df316e6b843624ed2db205
8938e48a0b0f8765a017d2e25ed5a68bd7954d220e460c5aa4b1c59763ec5a8d