Mac malware Proton spreads through fake Symantec blog mirroring original posts

On November 21, 2017, Symantec published a blog post warning computer users about a fake website mimicking Symantec's blog and its posts to spread a new strain of the OSX.Proton malware. The infection spread through the mirroring blog targets Mac operating systems. The OSX.Proton Trojan was disguised as a security program named Symantec Malware Detector whose task would be to kill the purported threat CoinThief, which is allegedly known to malware researchers since 2014. Readers are warned that the new variant of CoinThief is in the wild and that the Symantec Malware Detector will identify and remove the infection. Unfortunately, all of this is just a hoax.

When the fake security tool is launched, a prompt window with the logo of the company and a Check button is displayed. The payload could be prevented by closing the prompt window; however, those who had downloaded Symantec Malware detector probably did click the button to continue. A user is asked to type in the admin password, which would not be done in reality by a legitimate program. Once a user click the button OK, the malicious software imitates a system scan while in reality it downloads the OSX.Proton Trojan.

Once on the computer, the OSX.Proton malware captures user data, including the admin password and other personally identifiable information. The infection is also capable of capturing keychains, cookies, and other login details.

A lot of readers might not suspect that the malicious website, compared to the original URL, is a fake website, especially when it has a SSL certificate. The tricky part here is that the certificate was issued by Comodo instead of Symantec, which has private certification authority. Little attention is paid to the issuer of certification, which can be checked by moving the mouse cursor to the padlock in front of the URL of the web page.

If you are not sure whether you have downloaded a malicious program or not, it is worth checking its code signature. To do so, launch Terminal, which is accessible through the Applications and Utilities folders. Enter the command "codesign - dvvv path/to/Symantec Malware" to find the program's signature. If you find that the software is signed by Sverre Huseby, and that the certificate is given as E224M7K47W, that is a sign that you are dealing with a malicious program.

Potential victims learned about the alleged threat CoinThief from Tweets, many of which are reported to be sent from fake accounts, while some other accounts seem to be legitimate. It is believed that the legitimate accounts were used without their user's knowledge after stealing their passwords.

The website is reported to have been shut down, but there is another malicious website,, that has to be dealt with by Symantec to bring the scam to the end.

The Mac malware Proton was earlier spread over Mac software HandBrake, which was replaced with the data-stealing Trojan. Visitors were provided with a bogus security alert once they had accessed the program's website.

It is openly discussed that Mac users are not as cautious about malware as their Windows counterparts, encouraging cyber crooks to try their luck accessing unprotected Mac operating systems. If you have recently downloaded a questionable program, it is worth scanning the system to make sure that it is malware-free. Moreover, if you have recently downloaded Symantec Malware Detector, you should change all your passwords to prevent crooks from accessing and using your PC for illegal actions.

Abel, Robert. Fake Symantec site spreads OSX.Proton password. November 27, 2017.

Cluley, Graham. Malware warning for Mac users, after HandBrake mirror download server hacked. May 8, 2017

Johnson, Amy L. Beware of Fake Symantec Blog. November 21, 2017

Reed, Thomas. OSX.Proton spreading through fake Symantec blog. November 20, 2017

Symantec. OSX.Proton. May 8, 2017