’CrescentCore’ malware attacks your Mac, evades antivirus tools


Don’t install Flash Player. Not even the real one.
Photo: Intego

Security researches have discovered new malware that targets macOS users and evades popular antivirus tools.

“CrescentCore” is distributed as a DMG package that’s disguised as Adobe Flash Player. It can now be found on multiple websites — one of which is “a high-ranking Google search result,” according to Intego.

There was a time when Mac users could boast about their machines being immune to viruses. But as Apple’s operating system has grown increasingly popular, it has become a bigger target for malware creators.

New malware designed for macOS is now popping up all the time. The latest is particularly notable because of the way in which it attempts to evade popular security software and avoid removal.

Beware fake Flash Player downloads

Like most malware downloads, CrescentCore finds its way onto a Mac via “sketchy” websites. Visitors are typically led to believe they are obtaining something for free — one site promises free comic books.

Users are then redirected through multiple sites before being tricked into downloading what is claimed to be a Flash update. It’s when they attempt to install the update that the malware gets interesting.

The first thing CrescentCore will do before installing is identify whether it is running inside a virtual machine (VM). VMs are used by researchers to examine and reverse engineer malware without infecting the rest of their machines. If a VM is detected, CrescentCore won’t install.

Next, CrescentCore will determine if antivirus tools are running. It seems its creator would rather it wasn’t used at all than be identified by security software, so if antivirus tools are being used, it will stop running.

What does CrescentCore do?

Assuming you’re not using a VM, and no antivirus software is running, CrescentCore will proceed with installing a “LaunchAgent.” Intego describes this as a persistent infection, but it’s not completely clear what it does.

There is a second variant of CrescentCore that can install rogue software dubbed “Advanced Mac Cleaner,” or a malicious Safari extension. This could be used to track what you’re doing online, and even to record sensitive data.

How to avoid CrescentCore

Ensuring your Mac isn’t infected by CrescentCore is as easy as avoiding dodgy websites. Don’t downloading anything from sites you do not trust — especially not those offering copyright-infringing content.

You may also want to avoid installing anything that resembles Flash Player. As Intego notes, “nobody should be installing Flash Player in 2019 — not even the real, legitimate one.”

Flash Player has been dying out for years, and very few sites still rely on it. It’s not a desktop necessity like it used to be. What’s more, so many malware downloads typically come disguised as a Flash update.

What if you’re already infected?

If you already have good browsing habits, the likelihood of your Mac being infected by CrescentCore already is incredibly slim. But if you’re worried, simply install a reliable antivirus app and scan your machine for infections.

Intego’s own VirusBarrier X9 can obviously identify CrescentCore and eliminate it. But if you’re not an existing user, you can download its VirusBarrier Scanner for free and use that instead.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.