Attackers are using fake Symantec blog website to deliver OSX.Proton malware on Mac devices.Security researchers at Malwarebytes who discovered the malware said that fake site contains an analysis of a new version of a phony malware threat called CoinThie
Attackers are using fake Symantec blog website to deliver OSX.Proton malware on Mac devices.Security researchers at Malwarebytes who discovered the malware said that fake site contains an analysis of a new version of a phony malware threat called CoinThief.The fake site also mentions a program called Symantec Malware Detector which will help them to remove this malware. Actually, there is no such program, and it is a download file for Proton malware. Users who download and install it will be infected with the OSX.Proton malware.“The malware is being promoted via a fake Symantec blog site at symantecblog[dot]com. The site is a good imitation of the real Symantec blog, even mirroring the same content. The registration information for the domain appears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site. The email address used to register the domain is a dead giveaway. However even more suspicious is the certificate used by the site. It is legitimate SSL certificate, but was issued by Comodo rather than Symantec’s own certificate authority.” said in the blog post published by Malwarebytes.The fake link to the post has been spreading on Twitter using some fake account created by attackers, and also some users have retweeted the link thinking it as legitimate.There is also a chance that the attackers are using accounts whose passwords were compromised in previous Proton malware attack.Once infected the malware will have root access privilege and complete control of the victim’s system. It will also have the ability to run real-time console commands, access file manager, SSH/VNC connectivity, take screenshots, access webcam and can also steal information such as credit card or license details by requesting using custom fake window.The malware can also access the icloud even if two-factor authentication is enabled because of the genuine Apple code-signing signatures. The attacker somehow passed the filtration process done by Apple on third party software to get genuine certification program.Apple was warned about this issue and has revoked the certificate used to sign this malware. This will prevent Symantec Malware Detector from infecting Mac users.The website was also removed after the company suspended their hosting account.Since malware is designed to steal login credentials infected users are requested to immediately change their password of all of their accounts and try to use different passwords and enable two-factor authentication on every account.Users are advised not to download software from third party platforms to avoid infection. Earlier in October OSX/Proton was found using legitimate apps like Elmedia Player and Folx to infect Mac users.