CrescentCore is a type of malware that typically spreads via fake Flash Player updates and installs PUP on Macs
CrescentCore is a Trojan that proliferates adware and scareware apps on Macs automatically
CrescentCore is a Trojan horse that was discovered by Intego security researchers in late June 2019, soon after they analysed similar malware samples. Also known as OSX/CrescentCore, the malware is designed for macOS systems, and its primary goal is to monetise on illegal installations of potentially unwanted applications, such as Advanced Mac Cleaner. CrescentCore virus is mostly spread via fake Flash Player installers that can be encountered across the web, although experts noted that it possesses by far more sophisticated capabilities than a regular Mac malware spread via this method.
|Type||Mac virus, trojan|
|Distribution||Fake Flash player updates, software cracks, pirated software installers, sites that offer to access licenced content for free|
|Dangers||As soon as CrescentCore is installed on a Mac, it renders it vulnerable to all types of threats, as it may install other malicious software that would not only infiltrate PUPs, but also other malware which can send spam, secretly mine cryptocurrency, steal login credentials and banking information, and expose the computer to vulnerabilities|
|Termination||Malware is known to install various components into systems which might prevent its manual removal. Therefore, you should employ reputable anti-malware software such as SpyHunter 5Combo Cleaner and perform a full system scan to get rid of it automatically|
|Mac optimization||In case your macOS is slow even after removing malware, you could use a space recovery app Reimage Reimage Cleaner and get rid of duplicates, large files, and other data that might slow down your computer|
Fake Flash player installers are known to be one of the leading Mac malware attack vectors and bring in many different infections to the host machines – from adware that shows intrusive advertisements on the installed web browsers to malicious Trojans like OSX/Shlayer or OSX/CrescentCore.
To remove CrescentCore from a device and stop the intrusion of other malicious software, users need to install a powerful anti-malware software and thoroughly scan their machines. Note that the malware will not even infect systems that protected by a third-party anti-virus, so it is important to have the software running at all times to avoid CrescentCore virus and other malware infections in the future.
Infection and operation routine of CrescentCore Trojan
CrescentCore malware avoids analysis by checking whether it entered a virtual machine (VM) – it is often users by security researchers to analyse malware samples to avoid infecting actual computers they are working on. After the malware confirms that the machine belongs to a regular user, it also checks whether one of many popular third-party anti-viruses is installed on the system. If both checks do not pass, the CrescentCore virus simply exists without causing any damage.
In case of the opposite, CrescentCore will proceed with the infection process and will implant LaunchAgent components into a Mac, which improves its persistence. In other words, this is what can make manual CrescentCore removal so complicated, and many might fail even after trying to get rid of the fake Flash present on the system.
Once the necessary steps are completed on the infected macOS, users might not even notice the presence of malware, as it operates in the background. However, some symptoms might include:
- Computer slowdowns and lag, crashing apps;
- Unknown browser extension installed on Safari without permission;
- Malware apps like Advanced Mac Cleaner or Mac Mechanic present on the device;
- Web browser settings modified – new tab address, a customised search engine, and a new homepage applied without permission;
- Browser redirects lead to suspicious sites that are filled with advertisements;
- Ads appear on all visited websites.
CrescentCore is a type of Mac malware that evades analysis by checking for anti-malware and VM software before continuing the infection process
Mac malware is not a myth, and CrescentCore is another virus that proves it
Security researchers from Intego noted that propagated rumour about Macs being somehow safer than Windows PCs is just a myth, as their security software managed to catch a variety of infections on machines running security software, including backdoors, cryptominers, and other Trojans:
Within the past month alone, there have been several new Mac malware campaigns aside from Intego’s discoveries of OSX/CrescentCore and OSX/Linker, including OSX/NewTab (which Intego was the first to detect), OSX/Netwire and OSX/Mokes (backdoors that spread via a Firefox zero-day vulnerability), OSX/LoudMiner aka OSX/BirdMiner (cryptocurrency miners that try to evade detection by running inside a virtualized operating system).
Security researchers from Kaspersky recently released a report about Mac malware that operates on machines running its security software, and it turned out that Shlayer Trojan was present on 10% of Macs. Due to its prevalence, CrescentCore might be another malware that could infect millions of users worldwide.
The infected macOS can cause various harm to its users, as threats like CrescentCore render machines vulnerable to other cyberattacks, and it is not a secret that malicious actors can often send the updates to already installed malware via Command and Control servers. The updated malware may be able to steal sensitive user data by logging keyboard inputs, direct users to spoofed banking sites, use the computer for sending spam, etc.
You can avoid malicious software on your Mac by employing basic security practices
Now that we established that Mac malware is not a myth, a natural question arises: how to defend yourself from computer parasites? The answer to the question is primitive but not as simple – you should be aware of how malware is distributed, so you can apply measures to defend yourself.
CrescentCore is typically spread via fake Flash Player prompts, that might include the actual installation of the software. Therefore, users may not even realise that they installed malware on their systems until it is detected by a security application or until they notice that something is very wrong with their machines.
It is important to note that Flash Player is an outdated piece of software that is full of security flaws, many of which are patched regularly by its developer Adobe. The truth is, many sites pulled of this plugin usage altogether, as most regular users do not require the functionality of Flash (unless they choose to play old Flash games on some dodgy sites, which is not recommended activity in the first place). In case you insist on having this flawed software, you should always install its updates via the official website. Note that you would never receive a notification about an outdated Flash – especially on Google Chrome, as it uses a built-in functionality to replace it.
Another critical point here is that most of these malicious links and download prompts are delivered to users via websites that host dubious content, including software cracks, pirated software, comics, games, or offers licenced TV show/movie streams allegedly for free. Please stay away from such sites as malware is often hidden on them.
Being careful is not enough, however, and you should also apply additional protection measures, such as anti-malware software, as well as ad-blocking extensions that would prevent malicious scripts from being executed in the first place.
Ways to remove CrescentCore malware
Without a doubt, the only secure way to remove CrescentCore virus is by employing reputable anti-malware software. However, keep in mind that the infection is relatively stealthy, and might avoid the detection by security software. Nevertheless, even with its various features, CrescentCore can be detected with the help of powerful security tools as they can find malicious files on Mac automatically. Keep in mind that advanced security solutions with real-time scanning feature would block malware altogether.
CrescentCore removal should also compile of web browser reset procedure, as it may introduce a malicious extension to Safari, and also alter web browser settings. Additionally, various potentially unwanted applications downloaded by the virus might also implant their own components into web browsers. To perform a browser reset, follow the instructions provided below.
[GI=google-chrome]If you don't reset Google Chrome to default, the activity of CrescentCore virus may continue::[/GI]
[GI=safari]CrescentCore malware might install a Safari extension without permission – reset your browser to eliminate it:[/GI]