Crooks set up a fake Symantec Blog to spread the macOS Proton malware

A new strain of the notorious macOS Proton malware is spreading through a blog spoofing the legitimate blog of the security firm Symantec.

The attackers used the same domain registration information of the original site, except for the email address.

The SSL digital certificate for the site is a legitimate certificate issued by Comodo instead of the Symantec’s certificate authority.

The attackers created a the fake blog symantecblog[dot]com that mirrored content from the original website. The experts from Malwarebytes discovered that a post about a new version of CoinThief malware was promoting the application called “Symantec Malware Detector,” that was used to distribute the OSX.Proton.

“The malware is being promoted via a fake Symantec blog site at symantecblog[dot]com. The site is a good imitation of the real Symantec blog, even mirroring the same content. The registration information for the domain appears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site. The email address used to register the domain is a dead giveaway,” reads the analysis published by Malwarebytes.

Threat actors spread links to the fake blog on Twitter using both fake and legitimate compromised accounts. The Symantec Malware Detector application acts like a dropper.

The malicious Symantec Malware Detector application displays a simple window with  the Symantec logo requiring the authorization to perform a system check.If the victim agrees to run the check, the admin password is requested, allowing the malware stealing the password. Next, the app displays a progress bar to trick victims into believing that it is scanning the computer, instead it is installing the Proton malware in the background.

Once installed, the Proton malware gathers user information, such as the admin password and other personally-identifying information (PII). The malicious code saves all data to a hidden file.

“The malware also captures and exfiltrates things like keychain files, browser auto-fill data, 1Password vaults, and GPG passwords. Since the malware has phished the user’s password, the hackers will be able to decrypt the keychain files at a minimum.” continues the analysis.

Once this “dropper” app has been run, the following paths are created on the target system:


The Proton executable is dropped in the .random directory and is kept running by the launch agent. The stolen data is stored in the. cachedir folder.

In order to prevent future infections, Apple has revoked the certificate used to sign the malware.

“Fortunately, Apple is aware of this malware and has revoked the certificate used to sign the malware. This will prevent future infections by the Symantec Malware Detector. Revoking the certificate will not, by itself, do anything to protect a machine that is already infected,” states the report. 

Experts believe that the Proton malware will continue to circulate, Macs will continue to be the targets of an increasing amount of malware.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – cybercrime, Proton malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.