New Mac Malware Being Pushed via High Ranking Websites

A new form of Mac malware has been discovered that is being distributed through a variety of websites that rank high in the Google search results.

The malware is a Trojan that masquerades as an Adobe flash installer but is really an Apple disk image file (.dmg) that delivers the malware payload, malicious applications and various browser extensions.

The malware has been dubbed OSX/CrescentCore and several installers have been captured by several security researchers. In addition to the Trojan payload, one sample was observed to install Advanced Mac Cleaner while another added unwanted Safari browser extensions.

The method of distributing the Trojan is not uncommon. Malware distributors search for vulnerable websites that rank high in the Google search rankings for high traffic keywords. They then compromise those sites and add redirects to the sites hosting their malware. Those sites encourage visitors to download the malware under a variety of ruses, commonly security updates for software such as Flash Player.

CrescentCore includes advanced features designed to help it evade detection. The malware assesses its environment to determine if it is running in a virtual environment and whether anti-virus software is present and will exit if either are detected. The malware achieves persistence by installing a LaunchAgent in the library folder to ensure that it runs each time the user logs in.

CrescentCore is one of several new Mac malware variants to be discovered recently. A few days ago, researchers at Intego discovered another previously unseen malware variant named OSX/Linker. The malware targeted a vulnerability in MacOS Gatekeeper, a security feature that enforces code-signing and can limit the ability of programs to execute. The malware fools Gatekeeper into thinking it is on the local network rather than a server, and that it can therefore be trusted. As well as identifying CresentCore, the researchers also found an exploit called OSX/NewTab that adds new tabs to the Safari browser all in the space of a month.

New Mac-based cryptocurrency miners have also been observed and are being used in attacks in the wild. Mac users may not face the same number of threats as Windows users, but the recent increase in Mac malware suggests hackers are becoming more adept at bypassing Mac security features and they have developed a variety of methods to do so.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of