Mac malware dubbed CrescentCore, which is available through Google search results and numerous sites, masquerades as an updater or installer for Adobe Flash Media Player. This malware functions as a trojan horse that will install malicious Safari extensions, rogue disk cleaners and possibly more malware.
Notably, if this malware detects that it is running in a VM environment or if it detects that antivirus malware protection software is running on a device, the malware will simply exit. For Mac users who are not running in a VM environment and who are not using antivirus malware protection software, a LaunchAgent will begin to install when you click Update or Download Flash.
The following is a screenshot of a site distributing CrescentCore masquerading as Adobe Flash Player:
Image courtesy of Intego
With respect to Adobe Flash, please be advised of the following:
- Google Chrome has a built-in version of Flash which updates automatically
- Many sites have stopped relying on Flash because Adobe plans to discontinue it, and will not be releasing security updates for Flash after 2020. Therefore, it is recommended that you forego the installation of Flash, if possible
- For help verifying the latest Flash plug-in, and information re: where to get trusted Adobe updates, please see: https://www.intego.com/mac-security-blog/how-to-tell-if-adobe-flash-player-update-is-valid/
How to Tell if Your Mac is Infected:
- Look for files with the name Player.dmg (or Player #.dmg – where the # is a number) in your Downloads folder.
- Look for files or folders with the following names:
- /Library/com.apple.spotlight.Core
- /Library/Application Support/com.apple.spotlight.Core
- /Library/LaunchAgents/com.google.keystone.plist
- Com.player.lights.extensions.appex
If you detect any of the above-referenced files, and you’d like assistance with their removal, please contact your local IT Admin.
Recommendations:
- Update your OS, browsers, browser plug-ins and applications as soon as updates become available. This remains one of the best ways to protect yourself from malware.
- Install NYU–sponsored antivirus and malware protection software. As a reminder, antivirus software is required on any desktop or laptop connecting to NYU-NET. For more information, including access and eligibility information, click here.
- If you receive a Flash update pop-up, like the one shown above, do not click any elements on the screen, rather close and reopen your browser.