Beware the bogus Symantec blog which will infect you with Proton D

For the last few days, there has been a website posing as a Symantec security blog, at symantecblog[dot]com, which has been spreading malware to Macs.

Merely visiting the site does no harm, but the article there warns – completely falsely – about a new version of the old CoinThief malware, and offers a free download of a Symantec Malware Detector. That download, posing as an anti-malware tool, is of course the malware itself.

If you download Symantec Malware Detector and run it, the malware continues to pretend that it is a genuine Symantec product with a suitable splash screen, then requires admin authentication in a standard authentication dialog. Should you enter your admin password there, your Mac will have OSX.Proton.D installed on it, not an anti-malware product at all.

Currently, OSX.Proton.D is not detected by any of the bundled protection systems in macOS, such as XProtect. These only tackle Proton variants A and B, and because they are so specific, offer no protection against this Proton D variant.

Like the other members of the Proton malware family, the D variant captures sensitive information from your Mac, such as passwords, from keychains, 1Password vaults, and GPG.

Symantec Malware Detector, like other Proton malware, is signed using a currently valid developer certificate, belonging to Sverre Huseby (team identifier E224M7K47W). That certificate doesn’t appear to have been revoked yet, so will pass Gatekeeper’s checks.

Characteristic of a Proton D infection is the appearance of a new property list at /Library/LaunchAgents/, which shouldn’t be there at all, and hidden folders at /Library/.cachedir and /Library/.random, the latter containing the malware code. Fuller details are in Thomas Reed’s article for the Malwarebytes Labs.

Malwarebytes detects and removes the infection, Objective-See’s products will alert you to its presence, and Sqwarq’s DetectX also detects it reliably. Expect pushed security software updates from Apple in the next few hours or days to address this too.

(Thanks to @thomasreed, Patrick Wardle, and Phil Stokes for this important information.)