This group is too aware for this but you may have friends that may need to be
reminded.
John
How to Remove the New Mac Flash Malware ‘Crossrider’
Andrew OrrApr 25th, 2018 4:56 PM EDT
A variant of the Crossrider adware has been spotted in the wild. It’s Mac Flash
malware and different than the original breed because it installs certain
configuration profiles to stay persistent (via
<https://urldefense.proofpoint.com/v2/url?u=https-3A__blog.malwarebytes.com_threat-2Danalysis_2018_04_new-2Dcrossrider-2Dvariant-2Dinstalls-2Dconfiguration-2Dprofiles-2Don-2Dmacs_&d=DwIFaQ&c=OAG1LQNACBDguGvBeNj18Swhr9TMTjS-x4O_KuapPgY&r=F2GFXrjLFqVo3VwvIlo_XYeEiRRjHv15rxcenz7A21woG2aFGcrzndoSsskxfmOs&m=pI4hbhh-HWVnBuH6iTfzxxbOaR9D8MXRsEtuj1WkLQ4&s=UIWXbc7znofj8meg8brZRWUAZbqlK-cGjXLuwJO-P2g&e=>
Malwarebytes
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.malwarebytes.org_&d=DwIFaQ&c=OAG1LQNACBDguGvBeNj18Swhr9TMTjS-x4O_KuapPgY&r=F2GFXrjLFqVo3VwvIlo_XYeEiRRjHv15rxcenz7A21woG2aFGcrzndoSsskxfmOs&m=pI4hbhh-HWVnBuH6iTfzxxbOaR9D8MXRsEtuj1WkLQ4&s=U2c5EhcAYL6J7tAP3jefFHH7wQ3cBXthlQsWXm7Joe4&e=>).
[2017 McAfee Threat Report Shows Spike in Mac Malware
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.macobserver.com_news_mac-2Dmalware-2Dmcafee-2D2017_&d=DwIFaQ&c=OAG1LQNACBDguGvBeNj18Swhr9TMTjS-x4O_KuapPgY&r=F2GFXrjLFqVo3VwvIlo_XYeEiRRjHv15rxcenz7A21woG2aFGcrzndoSsskxfmOs&m=pI4hbhh-HWVnBuH6iTfzxxbOaR9D8MXRsEtuj1WkLQ4&s=sUFdrto24f1cFyyOicNd9NSXWe5gUYtyi9qF1VJbWQc&e=>]
Mac Flash Malware
This strain of Crossrider comes in the form of a fake Adobe Flash Player
installer. Pretty typical for macOS and nothing we haven’t seen before. But
this one is a bit different. As you install it, it automatically installs
Advanced Mac Cleaner, which uses Siri’s voice to tell you it found a problem.
But behind the scenes, it locks Safari’s homepage to a Crossrider domain, and
can’t easily be changed. This is due to a configuration profile, which is a
method that IT admins use to control the behavior of Macs in bulk, like in a
company.
This configuration profile forces Safari and Chrome (if you have it installed)
to always open a page at chumsearch.com. You can’t change it via Safari
preferences, but you can find the profile by going to System Preferences >
Profiles.
How to Remove It
Luckily, removing it is fairly straightforward and involves a couple of
Terminal commands. If you’re on macOS 10.12 or earlier, use the command:
sudo profiles -L
Although this works on macOS 10.13, another command may be better:
sudo profiles list
Then, look for an unfamiliar profile. In this case, the identifier is
com.myshopcoupon.www. On macOS 10.12 or earlier, type:
sudo profiles -R -p com.myshopcoupon.www
On macOS 10.13:
sudo profiles remove -identifier com.myshopcoupon.www
Other than that, the malware doesn’t seem to do much damage to your system.
Additionally, for most users fake Adobe Flash Players are easy to avoid. Flash
really isn’t needed anymore, but if you do need it, make sure to only download
it from Adobe’s official website.
_______________________________________________
MacGroup mailing list
Posting address: MacGroup@erdos.math.louisville.edu
Archive: <http://www.mail-archive.com/macgroup@erdos.math.louisville.edu/>
Answers to questions: <http://erdos.math.louisville.edu/macgroup/>