Fake Symantec blog spread Proton Mac malware

Crooks spoofed Symantec’s website and offered to download bogus security program

Proton Mac malware is back again and this time crooks took advantage of security firm Symantec to spread the malicious program. Cybercriminals spoofed company’s blog and created a fake post with bogus “Symantec Malware Detector” download link. Those, who were convinced that this tool could clean computer from viruses, actually installed a data-stealing malware.

Criminals did a pretty good job copying the legit blog post which was available at symantecblog[.]com. It even had an SSL certificate; however, it was issued by Comodo instead of Symantec. However, regular users do not pay attention to such details.

Fortunately, the website is shut down. Symantec spokesperson said to media that the fake company’s blog is down and they are working on another bogus site's – symanteceurengine[.]com – removal.

Criminals created a fake blog post about non-existent update of the virus

According to Malwarebytes research data,^[1] authors of OSX.Proton malware created a fake blog post about CoinThief malware. Furthermore, they suggest installing “Symantec Malware Detector – a bogus program that is supposed to remove the virus from the computer.

Indeed, CoinThief is a real cyber threat that emerged in 2014 to steal Bitcoins using infected Mac devices.^[2] However, neither a new version of it has been recently released, nor “Symantec Malware Detector” is a real program. People who were tricked by this hoax actually installed Proton malware which is capable of stealing personal information.

In order to spread the scam, crooks shared a link to fake blog post on Twitter. They used a bunch of fake accounts to cause the noise about the non-existent malware update. However, some legit profiles were included in malware distribution as well. It is assumed that some of these accounts may have been compromised during the previous Proton malware attacks.

It’s not the first time when criminals spread Mac malware OSX.Proton using legit programs

Since the release on May 2017, developers of Proton malware already compromised three legit programs to spread the virus. They started by hacking Handbrake’s website^[3] – the official site of video encoding program. Therefore, users who downloaded the application installed malware as well.

After a summer of silence, creators of malware stroke again. Security researchers from ESET reported^[4] about compromised software developer Eltima’s website in October. The site contained an infected Elmedia Player. Just like in the previous case, Proton virus infected the system when people downloaded a corrupted program.

Fortunately, attacks were stopped. Currently, it’s unknown what damage malware caused for Mac users this time. However, people who recently installed Symantec’s software are advised to check if they haven’t downloaded a malicious program by accident. The bogus software is signed by Sverre Huseby and uses an E224M7K47W certificate.^[5]

Lastly, if you have installed malicious software, you should remove it immediately, change all passwords and monitor your account activities, especially banking details.