OSX.Proton spread via fake Symantec blog.
OSX.Proton spread via fake Symantec blog.

A security researcher using the Twitter handle @noarfromspace last week spotted a fake Symantec blog spreading a new variant of the OSX.Proton password stealer.

The malware family has been circulating for a while since its initial appearance in March 2017 and has since been distributed via a compromised Handbrake application and a similar compromise of the Ellmedia Software applications, according to a Nov. 20, 2017, Malwarebytes blog post.

Researchers said the registration information on the domain, at first glance, appears to be legit because it uses the same name and address as the real Symantec site, but the email address used to register the domain is a dead giveaway with a legitimate SSL certificate that is issued by Comodo rather than Symantec's own certificate authority.

The fake site itself also does a good job of mimicking Symantec's site and even includes the same content though it contains a made-up blog post about a supposed new version of CoinThief that is of course false. This fake story promotes a program called “Symantec Malware Detector,” supposedly to detect and remove the malware that doesn't actually exists, urging the users to download it.

The Symantec Malware Detector is also a made up product which doesn't exist. Links to the fake post have also been spread on spread on Twitter with many of the tweets sent from what appear to be fake accounts while others appear to be legitimate.

Researchers noted that because the malware is designed to steal passwords, it's likely the legitimate accounts were accounts which were accessed with passwords already stolen using the malware.

The “Symantec Malware Detector is actually the OSX.Proton malware which looks to steal the user's admin password in clear text along with other personal identifiable information as well as to capture and exfiltrate things like keychain files, browser auto-fill data, 1Password vaults, and GPG passwords.

When a user attempts to run the phony application” it displays a very simple window, using the Symantec logo: prompting users to click a single “Check” button that then prompts a user to enter their admin password which then, if they enter their password, installs the malware.

Researchers noted that if a user were to quit the application at the screen which prompts them to click “Check” nothing would be installed but because the malware is so convincing anyone that has made it to this point would be unlikely to bail.

Researchers said users unsure of whether or not they downloaded the proper application should check the code signature of the application to see if it has been signed by someone named Sverre Huseby, using a certificate with a team identifier of E224M7K47W. Anything with this certificate should be considered malicious, researchers added.

The malware can be cleared using antivirus solutions but users should ensure they take emergency action post infection such as change all of their online passwords and act as if their credentials have already been compromised.

"We can confirm that symantecblog.com and symanteceurengine.com are not legitimate Symantec properties," a Symantec Spokesperson said. "We have taken immediate action for both sites to be removed, and so far can confirm that symantecblog.com has been taken down."