![]() ![]() This domain is most likely the Command & Control (C&C) server as it is pinged by the malware often. The registration date is also just a few days old. The registration details mention an address and the hosting is not one Symantec uses. Typing it in to a browser window will simply redirect to the fake Symantec website as it only accepts traffic on a specific port, but a lookup of the domain quickly reveals this is not a Symantec domain. However, a closer look at that domain shows this is also a fake. If a good firewall is used, you can see the malware even attempts to connect to symantecheurengine(.)com, which at first glance does not appear suspicious as the application specifically mentioned a heuristic engine during setup. When the fake scan completes, the all-clear is given and the application can be quit. Users will be presented with a scan in progress, which is, of course, also fake - Proton malware will install in the background. ![]() Once the password is entered, OSX/Proton.D has everything it needs to install. ![]() Those who download and run the fake antivirus are greeted with a window that sports the Symantec brand along with a small agreement notice.Ĭlicking the “Check” button will prompt for administrative login credentials. Intego VirusBarrier identifies and eradicates this new variant of Proton malware as OSX/Proton.D. The truth is there is no new version of “CoinThief” malware, and the recommended Symantec Malware Detector is nothing but a way to con Mac users into installing a new variant of OSX/Proton. “To scan the system for all traces of the malware and completely remove CoinThief from the preinstalled software you can use our free tool – Symantec Malware Detector.” ![]() The blog symantecblog(.)com is a professional looking clone of the real Symantec blog, and even has a post on it about a “new version” of CoinThief, a trojan from a few years ago. The trick post concludes with the following recommendation: Malware Watch Out! A Fake Antivirus Blog is Distributing Proton MalwareĪ new variant of OSX/Proton has been uncovered this week by malware researcher “noar” ( The previous iteration of Proton malware, discovered in October, had targeted Eltima, the makers of the Elmedia Player software. This time, OSX/Proton is being distributed as part of a fake antivirus scanner, named “Symantec Malware Detector,” found on a Symantec security blog that is equally fake. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |