Security researchers from Malwarebytes Labs found that cyber criminals using fake Symantec blog website to spread Proton malware against macOS users. On the fake website, the attackers published an “analysis” discussing the existence of a phony malware threat called CoinThief. They advised users to install “Symantec Malware Detector” to protect themselves against that malware. Actually, the download file was Proton malware designed to infect devices and steal victims’ data.
The malware is being promoted via “symantecblog.com”, which is a good match for the original Symantec blog, even copying the same content. The registration data for the domain seems to be legitimate, using the same name and address as the original Symantec website. The email address used to register the domain is dead.
According to the blog post by Malwarebytes Labs:
The fake site contains a blog post about a supposed new version of CoinThief, a piece of malware from 2014. The fake post claims that a new variant of CoinThief has been spotted. In fact, as far as I’ve been able to determine, this is a made-up story, and no such new variant of CoinThief actually exists.
Users who downloaded and installed the malware on their Mac devices might be under real threat since Proton malware can gain root-access privileges and enable an attacker to gain complete control over the targeted device.
