In recent years, we have come across various ways by which malware spreads into the system. It can be via phishing emails, via attachments attached to a legitimate-looking email and many more. However, this time the method adopted is not only different but also make you stunned.
This time attackers spoof the official blog of Symantec. Yes, you are right Symantec a leading anti-virus company. A malicious website is designed by the attackers to spoof the innocent which is exactly the mirror image of official Symantec blog. And, what more shocking is that the attackers not even acquired an SSL certificate for their fake website but also registered the domain with address of Symantec’s Mountain View headquarters.
How it came to notice
A security researcher found that a blog link which looks almost similar to Symantec official blog is published using various Twitter accounts on 19th November. The link redirects you to a fake site of Symantec blog which though almost looks similar to original site. Ever the URL used is symantecblog.com which is enough to disguise a user (The official link to Symantec blog is https://www.symantec.com/blogs).
How it disguises the user?
Once the user is redirected to this fake blog site he there finds a fake article regarding CoinThief(a malware which existed in the year 2014). The blog stated that a new variant of CoinThief malware has come to existence though originally no such new variant exists.
The blog also contains a link to a program (again a hoax) Symantec malware Detector supposed to scan and remove the malware. Once a user installs that program it installs the OSX.proton malware on his mac.
Also Read: An Insight into Grayware
How does malware install?
Icon of fake Symantec Malware Detector Application
The user which are tricked and install this Symantec malware Detector tool on their mac are greeted by a window that contains original Symantec logo.
Then it asks to click on Check to proceed.
Once the user clicks on Check button, a prompt window pops up asking the user for his login credentials. This prompt is similar to the prompt which a user always gets while installing/uninstalling any application from his mac.
Now once the user entered his valid credentials the OSX.proton installs in the machine. After that again a fake prompt pop-up stating that the system is scanned for the malware.
Also Read: Mac Ransomware: A Brief Look At History
And at last as it was a fake scan it just tells the user, no malware infections found on his mac. Although in reality it was all gimmick for installing Proton malware on the mac.
This malware once installed steal all your login details along with Keychain files, browser auto-fill data, 1Password vaults, and GPG passwords and store them in a hidden file inside the following path:
However, the good news is that now the site is no more accessible and Apple also has revoked the certificate used to sign the malware. But the users who have already been tricked needs to first trash this fake application and delete all the folders that it has created. Also, they need to change their login passwords for the mac along with other online accounts.
Also Read: Can Mac Malware Be Removed for Free?