The Proton Mac malware is back with a new—and ironic—method: Spoofing Symantec’s security blog, then amplifying it through Twitter.
The fake site contains a blog post about a supposed new version of CoinThief, a piece of malware from 2014. After going through an “analysis”, the post promotes a non-existent program called “Symantec Malware Detector”—which is, of course, the Proton malware in disguise.
It’s easy to see why consumers would be duped. Aside from the fact that the site actually has content., the fake URL is a savvy one: symantecblog[dot]com.
“The site is a good imitation of the real Symantec blog, even mirroring the same content,” said Thomas Reed, director of Mac & Mobile at Malwarebytes Labs, in an analysis. “The registration information for the domain appears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site. The email address used to register the domain is a dead giveaway, however.”
Interestingly (and also a red flag), the site is using a legitimate SSL certificate, but it was issued by Comodo rather than Symantec’s own certificate authority.
Meanwhile, links to the fake post have been spreading on Twitter. Some of the accounts tweeting the link appear to be fake accounts, but others seem to be legitimate.
“Given the fact that the primary goal of the Proton malware is to steal passwords, these could be hacked accounts whose passwords were compromised in a previous Proton outbreak,” Reed said. “However, they could also simply be the result of people being tricked into thinking the fake blog post is real.”
Users who download and run the “Symantec Malware Detector” will instead be infected with malware, which then sets about capturing information, including logging the user’s admin password in clear text, while sending other personally-identifying information (PII) to a hidden file. The malware also captures and exfiltrates things like keychain files, browser auto-fill data, 1Password vaults, and GPG passwords. Since the malware has phished the user’s password, the hackers will be able to decrypt the keychain files at a minimum.
Reed said that Apple is aware of this malware and has revoked the certificate used to sign the malware, to prevent future infections by the Symantec Malware Detector. This won’t help protect a machine that is already infected, though.
“Since Proton is designed to steal login credentials, you will need to take some emergency actions post-infection,” said Reed. “You should treat all online passwords as compromised and change them all. Be sure, while you’re at it, to use different passwords on every site, and use a password manager (such as 1Password or LastPass) to keep track of them. Since 1Password vaults are a target of Proton, be sure that you don’t store your password manager’s master password in your keychain or anywhere else on the computer. That should be the one and only password that you memorize, and it should be strong.”
Users should also enable two-factor authentication.
The Proton Mac malware is back with a new—and ironic—method: Spoofing Symantec’s security blog, then amplifying it through Twitter.
The fake site contains a blog post about a supposed new version of CoinThief, a piece of malware from 2014. After going through an “analysis”, the post promotes a non-existent program called “Symantec Malware Detector”—which is, of course, the Proton malware in disguise.
It’s easy to see why consumers would be duped. Aside from the fact that the site actually has content., the fake URL is a savvy one: symantecblog[dot]com.
“The site is a good imitation of the real Symantec blog, even mirroring the same content,” said Thomas Reed, director of Mac & Mobile at Malwarebytes Labs, in an analysis. “The registration information for the domain appears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site. The email address used to register the domain is a dead giveaway, however.”
Interestingly (and also a red flag), the site is using a legitimate SSL certificate, but it was issued by Comodo rather than Symantec’s own certificate authority.
Meanwhile, links to the fake post have been spreading on Twitter. Some of the accounts tweeting the link appear to be fake accounts, but others seem to be legitimate.
“Given the fact that the primary goal of the Proton malware is to steal passwords, these could be hacked accounts whose passwords were compromised in a previous Proton outbreak,” Reed said. “However, they could also simply be the result of people being tricked into thinking the fake blog post is real.”
Users who download and run the “Symantec Malware Detector” will instead be infected with malware, which then sets about capturing information, including logging the user’s admin password in clear text, while sending other personally-identifying information (PII) to a hidden file. The malware also captures and exfiltrates things like keychain files, browser auto-fill data, 1Password vaults, and GPG passwords. Since the malware has phished the user’s password, the hackers will be able to decrypt the keychain files at a minimum.
Reed said that Apple is aware of this malware and has revoked the certificate used to sign the malware, to prevent future infections by the Symantec Malware Detector. This won’t help protect a machine that is already infected, though.
“Since Proton is designed to steal login credentials, you will need to take some emergency actions post-infection,” said Reed. “You should treat all online passwords as compromised and change them all. Be sure, while you’re at it, to use different passwords on every site, and use a password manager (such as 1Password or LastPass) to keep track of them. Since 1Password vaults are a target of Proton, be sure that you don’t store your password manager’s master password in your keychain or anywhere else on the computer. That should be the one and only password that you memorize, and it should be strong.”
Users should also enable two-factor authentication.