Spoofed Symantec Blog Disseminated OSX.Proton Malicious Program
The malicious program Proton Mac has made a comeback, but cyber-criminals cashed in on Symantec's company blog for its dissemination. They created an imitation of Symantec's blog and then put up a false blog post touting a fake "Symantec Malware Detector," downloadable from a web-link. If Web-surfers imposed their trust into this tool and downloaded it expecting it would remove viruses from their PCs, they would really take down and load one data-stealing malicious program.
The crooks copied the legitimate blog-post obtained from symantecblog[.]com. There was also one SSL certificate in it; nevertheless, rather than Symantec's own certificate authority, Comodo issued it.
Malwarebytes in one November 20 dated blog post said the Proton Mac malicious program had been around after its first emergence during March 2017 while from that time it had been distributed through one hijacked Handbrake application as well as from one likewise hijack of Ellmedia Software apps. Scmagazine.com posted this, November 27, 2017.
Now according to security researchers, the registration details that are available on the spoofed Symantec website, by quick glance seem genuine as the name as well as address used on it exactly matches those on the actual site of Symantec. However, for registering the URL, the e-mail id utilized clearly gives away the false status with one SSL certificate that though legitimate is not issued from Symantec but from Comodo.
The phony tool "Symantec Malware Detector" really happens to be the OSX.Proton malicious program that tries grabbing victim's administrative password scripted within proper text and PII (personal identifiable information) of other kind. It also tries seizing and exfiltrating items such as browser auto-fill database, keychain files, GPG passwords and 1Password vaults.
Once a victim tries running the fake app, one extremely simple window gets exhibited which shows Symantec's logo while prompts the victim to follow one lone "Check" button which subsequently asks him for typing his admin password that if done loads the malware.
According to the researchers, victims who quit running the fake app would naturally not load the malware.
Fortunately, the malware is removable with any anti-virus solution though that must be done with urgency post infection.
» SPAMfighter News - 12/4/2017
We are happy to see you are reading our IT Security News.
We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!