A fake blog of the legitimate security company Symantec is spreading a new version of Proton malware targeting macOS.
The developers of Proton malware created symantecblog[dot]com which is a good imitation of the real Symantec blog and even mirrors the content from the original website.
It looks like the fake blog promotes an application named “Symantec Malware Detector” via a post about a new version of CoinThief, however, it actually distributes OSX.Proton.
It turns out that the the domain’s registration information is legitimate and its name and address are the same as those which Symantec uses, however, the email address shows that something is wrong. Besides, the certificate used for the website is a legitimate SSL certificate issued by Comodo and not by the Symantec’s certificate authority.
Security experts reported that fake and legitimate accounts have been spreading links to the fake blog on Twitter, and the hackers behind this campaign might have used stolen passwords to access legitimate accounts for promoting the malware.
Being activated for the first time, the Symantec Malware Detector application shows a very simple window, using the Symantec logo, claiming to require authorization to perform a system check. According to the researchers, if the user closes the window at this point, the Proton malware won’t be installed onto the system.
In case the potential victim agrees to run the check, the admin password is requested and the malware steals the user password. After that, the application shows a progress bar claiming to be scanning the computer, however, the Proton malware is installed instead.
As Symantec Malware Detector application is nothing more than a malware dropper, all users who have downloaded it are advised to delete it and try to clean their computers at once.
Being installed onto the system, Proton immediately starts collecting user information, such as the admin password and other sensitive information (PII), and saves all data to a hidden file. Keychain files, browser auto-fill data, 1Password vaults, and GPG passwords are also stolen.
The Proton executable is dropped in the .random directory and is kept running by the com.apple.xpcd.plist launch agent. The stolen information is stored in the .cachedir folder.
“Fortunately, Apple is aware of this malware and has revoked the certificate used to sign the malware. This will prevent future infections by the Symantec Malware Detector. Revoking the certificate will not, by itself, do anything to protect a machine that is already infected,” the security experts state.
The Proton malware has been created to steal login credentials and the affected users are advised to take emergency actions post-infection. They should consider all of their online passwords as compromised and change them, while setting up a different password for each site and storing all of them in a password manager.
Additionally, no master password should be kept in the keychain or anywhere else on the PC and enabling two-factor authentication should minimize the impact.