Beware the bogus Symantec blog which will infect you with Proton D

For the last few days, there has been a website posing as a Symantec security blog, at symantecblog[dot]com, which has been spreading malware to Macs.

Merely visiting the site does no harm, but the article there warns – completely falsely – about a new version of the old CoinThief malware, and offers a free download of a Symantec Malware Detector. That download, posing as an anti-malware tool, is of course the malware itself.

If you download Symantec Malware Detector and run it, the malware continues to pretend that it is a genuine Symantec product with a suitable splash screen, then requires admin authentication in a standard authentication dialog. Should you enter your admin password there, your Mac will have OSX.Proton.D installed on it, not an anti-malware product at all.

Currently, OSX.Proton.D is not detected by any of the bundled protection systems in macOS, such as XProtect. These only tackle Proton variants A and B, and because they are so specific, offer no protection against this Proton D variant.

Like the other members of the Proton malware family, the D variant captures sensitive information from your Mac, such as passwords, from keychains, 1Password vaults, and GPG.

Symantec Malware Detector, like other Proton malware, is signed using a currently valid developer certificate, belonging to Sverre Huseby (team identifier E224M7K47W). That certificate doesn’t appear to have been revoked yet, so will pass Gatekeeper’s checks.

Characteristic of a Proton D infection is the appearance of a new property list at /Library/LaunchAgents/com.apple.xpcd.plist, which shouldn’t be there at all, and hidden folders at /Library/.cachedir and /Library/.random, the latter containing the malware code. Fuller details are in Thomas Reed’s article for the Malwarebytes Labs.

Malwarebytes detects and removes the infection, Objective-See’s products will alert you to its presence, and Sqwarq’s DetectX also detects it reliably. Expect pushed security software updates from Apple in the next few hours or days to address this too.

(Thanks to @thomasreed, Patrick Wardle, and Phil Stokes for this important information.)

3Comments

Add yours

1

philastokes on November 22, 2017 at 9:38 am

There’s also a app bundle dropped at /tmp/xpc.app that isn’t mentioned by others. That may well get deleted eventually as /tmp/ gets cleared out, but I’d advise anyone infected with this to be proactive (DetectX identifies this file along with the others).

LikeLike
- 2
  
  hoakley on November 22, 2017 at 9:52 am
  
  Thank you, Phil: that is valuable info.
  Thanks also for making it clear that DetectX also detects it – I’ll add that to the post in just a second, for those who don’t read the comments.
  Howard.
  
  LikeLike
  - 3
    
    philastokes on November 22, 2017 at 3:41 pm
    
    No probs. Also worth noting that while the malware does modify the sudoers file on 10.12 and 10.13 it doesn’t bother on 10.11 and earlier (doesn’t need to, as the behaviour it seeks was already default behaviour prior to 10.12).
    
    LikeLiked by 1 person

Share this:

Related