Mac malware, Proton, is spreading through a legitimate security company. Security researchers spotted criminals using search poisoning to get more targets and leverage the credibility of Symantec in the industry. The attackers have created a fake site imitating the real website of the Symantec security firm, mirroring the content of the original one. “The malware is being promoted via a fake Symantec blog site at symantecblog[dot]com,” Malwarebytes Labs reported.
“The registration information for the domain appears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site,” it adds. However, it uses email the address of some connelcristopher to register the domain. The certificate, while a legitimate SSL certificate, was issued by Comodo not by Symantec’s own certificate authority.
Links to this fake site have been shared on Twitter via both fake and legitimate accounts. Researchers suggest that it is possible that the actor behind this targeted campaign may have stolen passwords to access legitimate accounts and promote their malicious site. But, it is also likely that people were tricked into sharing the security blog posts published by the fake site, considering its legit-like name and look.
Proton can steal data from macOS users and stay persistent on the target system
OSX/Proton is used by criminals to steal login data to compromise user accounts. But it steals more than that. It can steal all the sensitive information stored on your computer, including data from password managers.
When the malware is dropped using the fake Symantec site, it arrives as a “Symantec Malware Detector” application that asks you for authorization to perform a system check. If you close the window, nothing will happen. However, if a user gives permission, it will require the admin password (doesn’t raise suspicions since many security programs do need this authorization), which is followed by a progress bar claiming to scan your machine. In the background, Proton is installed on the Mac.
Malwarebytes warns that once installed, Proton “captures and exfiltrates things like keychain files, browser auto-fill data, 1Password vaults, and GPG passwords”.
Since the malware has phished the user’s password, the hackers will be able to decrypt the keychain files at a minimum.
Researchers have advised users to delete this Symantec Malware Detector application – if you are worried you might delete something legit, the company doesn’t have a product with this name.
“Fortunately, Apple is aware of this malware and has revoked the certificate used to sign the malware,” researchers wrote. “This will prevent future infections by the Symantec Malware Detector. Revoking the certificate will not, by itself, do anything to protect a machine that is already infected.” Previously, security experts had advised a complete macOS reinstall as that is the “only sure way to get rid of” Proton.