![\"Fake](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/Fake-Symantec-Antivirus-Proton.D-Malware.png\")
<\/p>\n<\/p>\n
A\u00a0new variant of OSX\/Proton\u00a0has been uncovered this week by malware\u00a0researcher “noar” (@noarfromspace<\/a>). The previous iteration of Proton malware, discovered in\u00a0October<\/a>, had targeted Eltima, the makers of the Elmedia Player software.\u00a0This time, OSX\/Proton is being distributed as part of a fake antivirus\u00a0scanner, named “Symantec Malware Detector,” found on a Symantec\u00a0security blog that is equally fake.<\/p>\n The blog symantecblog(.)com is a professional looking\u00a0clone of the real Symantec blog, and even has a post on it about a “new version” of CoinThief, a trojan from a few years ago.\u00a0The trick post concludes with the following\u00a0recommendation:<\/p>\n “To scan the system for all traces of the malware and completely remove CoinThief from the preinstalled software you can use our free tool – Symantec Malware Detector.”<\/p><\/blockquote>\n The\u00a0truth is there\u00a0is no new version of “CoinThief” malware, and the recommended Symantec Malware Detector is nothing but a way to con Mac users into installing a new variant of OSX\/Proton. Intego VirusBarrier<\/a> identifies and eradicates this new variant of Proton\u00a0malware as OSX\/Proton.D<\/strong>.<\/p>\n Those who\u00a0download and run the fake antivirus\u00a0are greeted with a window that sports the Symantec brand along with\u00a0a small agreement notice.<\/p>\n Clicking the “Check” button will prompt for administrative login credentials. This prompt also looks genuine.<\/p>\n Once the password is entered, OSX\/Proton.D has everything it needs to install. Users will be presented with a scan in progress, which is, of course, also fake \u2014 Proton malware will install in the background.<\/p>\n When the fake scan completes, the all-clear is given and the application can be quit.<\/p>\n If a good firewall is used, you can see the malware even attempts to connect to symantecheurengine(.)com, which at first glance does not appear suspicious as the application specifically mentioned a heuristic engine during setup. However, a closer look at that domain shows this is also a fake. Typing it in to a browser window will simply redirect to the fake\u00a0Symantec website as it only accepts traffic on a specific port, but a lookup of the domain quickly reveals this is not a Symantec domain.<\/p>\n The registration details mention an @protonmail.com address and the hosting is not one Symantec uses. The registration date is also just a few days old.<\/p>\n This domain is most likely the Command & Control (C&C) server as it is pinged by the malware often.<\/p>\n The use of a protonmail email address is also observed when checking the registration of the symantecblog(.)com domain.<\/p>\n If a Mac user followed all of the above steps installing the malware,\u00a0OSX\/Proton.D will have\u00a0already collected several pieces of information and stored them in a hidden directory, waiting to be uploaded. Information gathered by OSX\/Proton includes:<\/p>\n And this is just what’s collected upon installation. With the administrator name and password available, the contents of the Mac Keychain can be accessed right away, which gives those behind this latest OSX\/Proton access to social media accounts, online banking and much more sites and services that have their info stored in the keychain.<\/p>\n It’s clear by now that OSX\/Proton is a successful backdoor, so we expect it will be used more in the future. What makes it successful is the way it’s distributed, not the malware itself (which is still pretty rudimentary in how it keeps itself active). By going after supply chains, like it did with Transmission<\/a> and Eltima<\/a>, and now through faking a legitimate security blog, malicious actors have found ways to get the malware onto more systems. Even those who\u00a0never download software from bad sources, never click suspicious pop-ups, and never click links in emails that look suspect can become infected.<\/p>\n Open Activity Monitor and search for a process named “xpcd.” If this process is running, your Mac is infected.<\/p>\n Click the process, and then close it with the X<\/strong> button in the menu bar.<\/p>\n To clear the infection off your Mac, browse to the following folders and trash the following files:<\/p>\n To manually check for the invisible files OSX\/Proton placed, first you need to make invisible files visible in the Finder. In macOS Sierra and High Sierra, this can quickly be done with the following key combination:<\/p>\n Command-Shift-. (period)<\/p><\/blockquote>\n For older OS X versions, this can be done by typing the following commands in the Terminal app:<\/p>\n When done, enter the same commands but change “true” to “false.”<\/p>\n With the hidden files now visible, check both the root library and the user library for these files:<\/p>\n With those files deleted, empty the trash and restart your Mac. Double-check the same locations again after the restart to ensure the infection is indeed cleared. If a warning shows that some items cannot be deleted, because they are in use, you’ll be able to empty the trash after the restart.<\/p>\n For Intego’s Mac anti-virus customers, protection comes in the form of updated malware definitions, which will detect and remove all of the Proton files. Proton components are detected by Intego VirusBarrier<\/a> as OSX\/Proton.D<\/strong>.<\/p>\n Running Mac\u00a0antivirus with up to date malware definitions is\u00a0always recommended. In this way,\u00a0malware can be caught before it even has a chance to install. The use of a good firewall is also highly recommended, because\u00a0newly discovered malware must be added to the product definitions before it’s able to find and eliminate the malware. While this is typically done within hours of a new malware discovery, there is always a small gap. A firewall does not require definition updates; after all, network traffic is network traffic.<\/p>\n Even if no antivirus product is used, a firewall will show you when an application or process attempts to phone home. This gives you time to research the information displayed and make an informed decision to allow or deny the connection. For example, here is what Intego NetBarrier<\/a>\u00a0users will see upon catching OSX\/Proton’s attempt to contact the fake domain:<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" A\u00a0new variant of OSX\/Proton\u00a0has been uncovered this week by malware\u00a0researcher “noar” (@noarfromspace). The previous iteration of Proton malware, discovered in\u00a0October, had targeted Eltima, the makers of the Elmedia Player software.\u00a0This time, OSX\/Proton is being distributed as part of a fake antivirus\u00a0scanner, named “Symantec Malware Detector,” found on a Symantec\u00a0security blog that is equally fake. The […]<\/p>\n","protected":false},"author":79,"featured_media":72679,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[54,3784,3469,3787,3790],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\nHow does Proton malware install?<\/h3>\n
![\"fake](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/1-SymantecMalwareDetectorStart.png\")
<\/p>\n![\"Symantec](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/2-AdminCredentialsRequest.png\")
<\/p>\n![\"Fake](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/3-FakeScan.png\")
<\/p>\n![\"Symantec](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/4-AllClear.png\")
<\/p>\n![\"Fake](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/7-Registrationinfo1.png\")
<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/8-Registrationinfo2.png\")
<\/p>\n![\"Fake](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/9-Registrationinfo3.png\")
<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/10-Registrationinfo4.png\")
<\/p>\nWhat can OSX\/Proton.D do on infected Macs?<\/h3>\n
\n
![\"OSX\/Proton.D](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/5-PartofDataCollected.png\")
<\/p>\nShould Mac users be concerned about Proton?<\/h3>\n
How to tell if your Mac is infected (and removal instructions)<\/h3>\n
![\"xpcd](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/6-xpcdActivityMonitor.png\")
<\/p>\n\n
\n*It may also be in your Downloads folder or on your Desktop.<\/li>\n\n
$ defaults write com.apple.Finder AppleShowAllFiles true\r\n $ killall Finder<\/pre>\n<\/blockquote>\n
\n
How to protect yourself from Proton<\/h3>\n
![\"Intego](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/11-NetBarrierAlert.png\")
<\/p>\n