Fake Symantec blog spreads macOS malware

  • Liam Tung (CSO Online)
  • 22 November, 2017 05:57
Fake Symantec security tool, fake Symantec security blog, real macOS malware
Fake Symantec security tool, fake Symantec security blog, real macOS malware

A fake Symantec blog is being used to host a fake security tool called “Symantec Malware Detector” that will, if downloaded, infect Mac machines with a variant of the Proton malware. 

The bogus Symantec blog is the latest trick being used to infect macOS systems with Proton, which opens a backdoor on infected Macs and steals keychain information, cookies and other information.

Previously, Proton attackers have used so-called supply chain attacks, infecting unwitting users through compromised copies of legitimate software. In May Proton was bundled with the Handbrake video transcoder application for macOS and in October a trojanized copy of Elmedia Player targeted Mac users. 

A security researcher known on Twitter as @noarfromspace discovered several Twitter accounts on Sunday being used to spread links to the fake Symantec blog at symantcblog[dot]com.  

The domain was even registered with the real address of Symantec’s Mountain View headquarters, however it was registered with a non-Symantec email account. 

The attackers did go to the trouble of getting an SSL certificate for the site, however as the researcher noted, the site used the Comodo certificate authority rather than Symantec’s certificate authority. 

As Malwarebytes researcher Thomas Reed notes, the fake blog was a decent copy of Symantec’s real security blog and mirrored the same content. 

The fake site hosted a copy of non-existent but real-enough sounding Symantec security tool called “Symantec Malware Detector". 

The blog itself discussed a purportedly new version of the CoinThief malware first found in 2014. However, as Reed notes, the new version was fake news designed encourage users to install the Symantec Malware Detector.  

If Symantec Malware Detector is installed the app displays a window with Symantec’s logo and a “check” button that purports be how user’s given their consent to “send a non-identifying report to Symantec Inc. to improve the heuristic engine”. If the user clicks Check, they're prompted to enter their username and password in a fake Apple password request window which steals the victim’s password. After that the application installs the Proton malware. 

The fake Symantec application was signed by a developer by the name of Sverre Huseby using a certificate team ID of E224M7K47W. Apple has now been revoked the certificate.

Given that the malware has phished the user’s admin password, the attackers would be able to decrypt the keychain files it steals. Other information it steals include browser auto-fill data, 1Password vaults, and GPG passwords. 

Though Reed notes Proton is fairly simple to remove, Mac users who were infected need to take “emergency actions” and change all online passwords as they should be considered compromised. He also advises users enable two-factor authentication, which should minimize the damage after a breach like this occurs. Anything stored in Apple’s keychain, such as credit cards or any other secrets, should be treated as compromised, Reed cautions. 

Symantec said its brand legal and brand teams are aware of the fake blog and are working on a resolution.