THREAT REMOVAL

Update August 2019. What is CrescentCore Mac malware? How threatening is it to macOS? Let’s find out in this article.

OSX/CrescentCore or CrescentCore Mac malware is a new malicious campaign currently targeting users in the wild. According to security researchers, the malware is considered the next generation of a fake Flash Player “virus” which is now capable of fully evading antivirus detection. Currently, Mac users are widely targeted across the Web, as CrescentCore lurks in bogus download sites as well as top-ranking Google search results.

Threat Summary

NameCrescentCore
TypeTrojan Horse for Mac OS
Short DescriptionAims to sneak into your Mac undetected to perform a series of malicious activities.
SymptomsA Trojan horse application on a .dmg disk image, masqueraded as an Adobe Flash Player installer..
Distribution MethodFake download sites and trojanized apps
Detection Tool See If Your System Has Been Affected by malware

Download

Combo Cleaner

User ExperienceJoin Our Forum to Discuss CrescentCore.

CrescentCore Mac Malware – Distribution

As reported by Intego researchers, this malware is in fact a Trojan horse application on a .dmg disk image, and is masqueraded as an Adobe Flash Player installer. This distribution method is not new at all as it has been observed in Windows campaigns for years. The difference is, however, that CrescentCore is updated with additional capabilities which are meant to improve its evasion by antivirus programs. Also, this is not the first such case against Mac users. A previously detected Mac Trojan is the so-called

Mac Control “virus” which has been known to spy on users’ activities.

Currently, the malware is being distributed via fake app installers (.dmg file), but its distribution mechanisms could be updated in the near future to include:

  • Fake patches;
  • Software cracks;
  • Key generators.

So, how does the CrescentCore infection happen?

Of course, the user will have to open the .dmg file and app with the Flash Player icon. Once this is done, the Trojan will check if it’s running inside a virtual machine. Then, CrescentCore will run a check to see if there is a Mac antivirus program running on the system. If any of these two conditions is met, the malware will no continue its operations on this particular system.

In case no AV software is found, the malware will install its persistent infection in the form of a LaunchAgent.
Security researchers say that there is a second variant of the malware which could install Advanced MacCleaner on infected hosts, or a malicious Safari browser extension.

How to Effectively Remove Mac Kontrol

The malware has been observed in active campaigns in the wild, Mac users should be extra careful when surfing the web. Since CrescentCore is designed to check whether there is an antivirus program installed on the targeted Mac and would halt the infection if such is found, it is highly advisable to install a security solution.

If you’re already infected by CrescentCore and want to remove it from your Mac, we suggest that you carefully read step 1 and 2 below this article. If however you cannot seem to find the virus files or the app, which the malware pretends to be, then professional removal is your best bet. To remove CrescentCore efficiently, you can download and run a scan of your Mac by using an advanced anti-malware software. Such specific tool is created to help you to automatically detect an get rid of any malware, CrescentCore included.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

OFFER
REMOVE IT NOW (MAC)
with Mac Anti-Malware

Download advanced Mac Anti-Malware software and run free scan to remove virus files on your Mac. This saves you hours of time and effort compared to doing the removal yourself.


Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer

Get rid of CrescentCore from Mac OS X.


Step 1: Uninstall CrescentCore and remove related files and objects

OFFER
Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your Mac with SpyHunter for Mac
Keep in mind, that SpyHunter for Mac needs to purchased to remove the malware threats. Click on the corresponding links to check SpyHunter’s EULA and Privacy Policy


1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:


2. Find Activity Monitor and double-click it:


3. In the Activity Monitor look for any suspicious processes, belonging or related to CrescentCore:

Tip: To quit a process completely, choose the “Force Quit” option.


4. Click on the "Go" button again, but this time select Applications. Another way is with the ⇧+⌘+A buttons.


5. In the Applications menu, look for any suspicious app or an app with a name, similar or identical to CrescentCore. If you find it, right-click on the app and select “Move to Trash”.


6: Select Accounts, after which click on the Login Items preference. Your Mac will then show you a list of items that start automatically when you log in. Look for any suspicious apps identical or similar to CrescentCore. Check the app you want to stop from running automatically and then select on the Minus (“-“) icon to hide it.


7: Remove any left-over files that might be related to this threat manually by following the sub-steps below:

  • Go to Finder.
  • In the search bar type the name of the app that you want to remove.
  • Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
  • If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.

In case you cannot remove CrescentCore via Step 1 above:

In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:

Disclaimer! If you are about to tamper with Library files on Mac, be sure to know the name of the virus file, because if you delete the wrong file, it may cause irreversible damage to your MacOS. Continue on your own responsibility!

1: Click on "Go" and Then "Go to Folder" as shown underneath:

2: Type in "/Library/LauchAgents/" and click Ok:

3: Delete all of the virus files that have similar or the same name as CrescentCore. If you believe there is no such file, do not delete anything.

You can repeat the same procedure with the following other Library directories:

→ ~/Library/LaunchAgents
/Library/LaunchDaemons

Tip: ~ is there on purpose, because it leads to more LaunchAgents.


Step 2: Scan for and remove malware from your Mac

You can use the tool we recommended above in order to remove CrescentCore:



Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer


Remove CrescentCore from Google Chrome.


Step 1: Start Google Chrome and open the drop menu


Step 2: Move the cursor over "Tools" and then from the extended menu choose "Extensions"


Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.


Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.


Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer


Erase CrescentCore from Mozilla Firefox.

Step 1: Start Mozilla Firefox. Open the menu window


Step 2: Select the "Add-ons" icon from the menu.


Step 3: Select the unwanted extension and click "Remove"


Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.



Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer


Uninstall CrescentCore from Microsoft Edge.


Step 1: Start Edge browser.


Step 2: Open the drop menu by clicking on the icon at the top right corner.


Step 3: From the drop menu select "Extensions".


Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.


Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.



Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer


Delete CrescentCore from Safari.


Step 1: Start the Safari app.


Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.


Step 3: From the menu, click on "Preferences".

stf-safari preferences


Step 4: After that, select the 'Extensions' Tab.

stf-safari-extensions


Step 5: Click once on the extension you want to remove.


Step 6: Click 'Uninstall'.

stf-safari uninstall

A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the CrescentCore will be removed.


How to Reset Safari
IMPORTANT: Before resetting Safari make sure you back up all your saved passwords within the browser in case you forget them.

Start Safari and then click on the gear leaver icon.

Click the Reset Safari button and you will reset the browser.


Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer


Eliminate CrescentCore from Internet Explorer.


Step 1: Start Internet Explorer.


Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'


Step 3: In the 'Manage Add-ons' window.


Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.


Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.


CrescentCore FAQ

What is CrescentCore?

CrescentCore is classified as a potentially unwanted app for Mac. It appears like a normal app, but it may cause unpleasant pop-ups and redirects on your Mac.

Be aware, that CrescentCore may be able to affect the browsers Safari, Google Chrome, Mozilla Firefox, Edge and Opera. It may they perform unwanted activities on your Mac.

Such can turn out to be showing advertisements of all types, slowing down your Mac's performance and even infecting your Mac with other viruses by showing you dangerous ads.

Is CrescentCore a Virus?

No, but it is just as risky. The CrescentCore object is not entirely a virus but it is still as dangerous as a virus for your Mac and your information. The main reason for that is because CrescentCore can use cookies and other tracking technologies that may obtain personal information from your Mac while you are browsing.

It may also cause dangers and may lead to risky websites, such as:

  • Phishing sites.
  • Web pages that are scam.
  • Sites that may contain viruses.

These are the main reasons why threatening is considered by experts to be indirectly dangerous to your Mac.

Can my Mac get virus?

The answer to this question is "yes". Unfortunately it opened happens that Mac devices become infected with different types of malware, adware and other threats. This causes a lot of problems for both companies and users.

How did I get CrescentCore?

CrescentCore could be spread to Mac computers via several methods. One of those methods is via the installers of third party apps. This technique is called software bundling.

Also, CrescentCore adware could be included in the installer steps of an app you may have downloaded for your Mac from a third party website. Search app could be a media player or some other free software you may have tried to recently install.

You may have missed CrescentCore, because it could be hiding in one of the install steps or could be offered as a "free extra" or an "optional offer".

How to remove CrescentCore from my Mac?

By removing its core files. To get rid of CrescentCore from your Mac, security experts strongly advise to scan it with a professional anti-malware app for Mac.

An anti-malware security app has the capability of scanning all of the areas in your Mac were CrescentCore could be residing.

It will also make sure that CrescentCore is permanently gone from your Mac and that your Mac is safe in the future.

How to protect my Mac from viruses?

To protect your Mac from all sorts of virus threats, you can can minimize the risk of getting a virus in the first place. This is why we strongly recommend that you take the following steps for protection on your Mac below:

1. Register for a VPN service of your choice.
2. Clear the cookies that are on your web browsers and uninstall any browser extensions from them that you believe are suspicious.
3. Download and install reputable malware removal and protection software.
4. Always check if the website you're visiting has HTTPS instead of just HTTP in its address. This indicates that a site is secure.
5. Do not type any personal info on websites which are with low reputation or you can't trust.
6. Always check if the site you're visiting is the real web page at not a fake one by looking at the address bar. Many fishing websites that contain viruses change one or two letters in the main domain name of the site they're trying to mimic.
7. Always link your cell phone phone to your Bank Accounts, PayPal, Facebook, Gmail, Instagram and other accounts. This will allow you to see notification if somebody else logged in from your account and makes account hijacking nearly impossible.
8. Always find a way to backup all your important files regularly. You can save them on a USB stick or use Cloud backup services, like Google Drive. iDrive, Onedrive and others.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...