The password-stealing specialized malware OSX.Proton turns the next round – and disguises itself quite cleverly.
The OSX.Proton named trojan for macOS is now spreading again on a new path. As the Twitter account @noarfromspace warns , hiding the malware in a fake blog, the deception of the manufacturer of security software Symantec deceptively similar. Under symantecblog.com, all contents of the real corporate blog are mirrored, but the counterfeit is recognizable by a suspicious email address in the domain registration and a third party submitted SSL security certificate.
Specifically, the malware smuggled the hackers through a fake news report that the 2014 malware called CoinThief would make another round through the web. They can be detected and rendered harmless with the Symantec Malware Detector, which actually contains OSX.Proton and installs the malware on the Mac with the support of the user. The link to the malware now spreads several Twitter accounts, fake and real, which may have been compromised by a previous proton attack – OSX.Proton has it mainly on passwords of all kinds apart.
At the end of October, the malware first appeared, after an attack on the FTP server of the software manufacturer Eltima, OSX.Proton had crept into the programs Elmedia Player and Folx – this one has Eltima but released again in clean versions and its infrastructure secured with Apple’s help against attacks. At the time, OSX.Proton suffered damage because it used Eltima’s legitimate developer certificate and therefore installed it on the Mac despite the gatekeeper being switched on. The new version also uses a valid certificate with the identifier E224M7K47W, which runs on a developer named Sverre Huseby. After the first launch of the app and a click on the “Check” button displayed under a Symantec logo, the installer will ask for an admin password. Once this is entered, destiny takes its course.