There is a dangerous new piece of Mac malware masquerading as a Flash player that is making the rounds. It’s been discovered by Intego and the details have been posted vis this blog post. Now here’s the first reason why this is dangerous:
If a user opens the .dmg disk image and opens the Player app (which has a Flash Player icon), the Trojan horse will first check to see whether it is running inside a virtual machine (VM). Malware analysts often examine malware inside a VM to avoid unintentionally infecting their own computers while working with dangerous files, so malware authors sometimes implement VM detection and behave differently to make it more difficult to analyze the malware’s behavior.
I have never seen a piece of malware do this before. That makes it very difficult to study and create countermeasures against. That’s not good. Now here’s the second reason why this is dangerous.
The OSX/CrescentCore Trojan app also checks to see whether any popular Mac antivirus programs are installed.
If the malware determines that it’s running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.
Clearly that means that this malware is targeting Mac users that don’t run anti-virus apps. Of which there are many as there is still this rather flawed perception that Mac users don’t need protection from malware via an antivirus app. Thus the take home message is that you need the protection of an antivirus app whether you run Mac or PC products. But there’s another take home message. There is no need for Flash. Don’t download any version of Flash be it the legit version or the fake versions. Most websites have dumped Flash and Adobe will not be supporting it after next year. Protect yourself and don’t download Flash of any sort.
Like this:
Like Loading...
Related
This entry was posted on July 1, 2019 at 9:44 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
If You Are A Mac User, Don’t Download That Flash Player…. Just Don’t Do It….
There is a dangerous new piece of Mac malware masquerading as a Flash player that is making the rounds. It’s been discovered by Intego and the details have been posted vis this blog post. Now here’s the first reason why this is dangerous:
If a user opens the .dmg disk image and opens the Player app (which has a Flash Player icon), the Trojan horse will first check to see whether it is running inside a virtual machine (VM). Malware analysts often examine malware inside a VM to avoid unintentionally infecting their own computers while working with dangerous files, so malware authors sometimes implement VM detection and behave differently to make it more difficult to analyze the malware’s behavior.
I have never seen a piece of malware do this before. That makes it very difficult to study and create countermeasures against. That’s not good. Now here’s the second reason why this is dangerous.
The OSX/CrescentCore Trojan app also checks to see whether any popular Mac antivirus programs are installed.
If the malware determines that it’s running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.
Clearly that means that this malware is targeting Mac users that don’t run anti-virus apps. Of which there are many as there is still this rather flawed perception that Mac users don’t need protection from malware via an antivirus app. Thus the take home message is that you need the protection of an antivirus app whether you run Mac or PC products. But there’s another take home message. There is no need for Flash. Don’t download any version of Flash be it the legit version or the fake versions. Most websites have dumped Flash and Adobe will not be supporting it after next year. Protect yourself and don’t download Flash of any sort.
Share this:
Like this:
Related
This entry was posted on July 1, 2019 at 9:44 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.