Imitation Symantec Blog Site Spreads New Version of Proton Malware

A new version of Proton, a remote access trojan (RAT) targeting macOS, has been identified after a security researcher observed Twitter posts promoting a link to a suspicious website that masqueraded as the Symantec blog site. This site mirrored the same content as the legitimate Symantec website; however, the certificate used by the site was an SSL certificate issued by Comodo, not Symantec’s own certificate authority. The malicious clone encouraged visitors to download software named Symantec Malware Detector supposedly designed to detect and remove a piece of malware called CoinThief. Users who downloaded this software using a system running macOS were infected with the Proton RAT, which collects and exfiltrates data such as keychain files, browser auto-fill data, 1Password vaults, and GPG passwords. The NJCCIC confirmed on the evening of Monday, December 4, that the malicious site’s security certificate was revoked and, as a result, all common web browsers block access to it. The NJCCIC recommends macOS users who may have visited the malicious site determine if Proton RAT resides on their systems by reviewing the Malwarebytes report and using the methods provided for detection and remediation, if necessary. Also, ensure that any password manager master passwords are not stored in a keychain or anywhere else on the device, enable multi-factor authentication on all accounts that offer it, and educate users on this and similar threats that exploit users’ trust in reputable companies to trick them into infecting their devices with malware.