Mac Malware Proton pretends to be a "Symantec Malware Detector"

The malware disguises itself as malware detection. 
Disguised as malware detection, the Mac Trojan was distributed through a supposed Symantec blog. A spread over social networks hoax should bring users to the installation.

The Mac malware Proton continues to mischief. The already delivered over popular Mac software such as Handbrake and Elmedia Player pest, set on a new infection path: He disguises himself as the fictitious security software "Symantec Malware Detector", which was offered for download via a fake blog of the anti-virus company Symantec as security researchers warn.

Fake Mac system dialog invokes password entry
To lure users into the installation, a false report about a new version of the Bitcoin-hijacking Mac pest CoinThief was distributed in the supposed Symantec blog - and shared as a social networking link. A domain used for this is currently no longer available.

To perform a "check" on the Mac, the alleged "Symantec Malware Detector" asks for the user password and displays a fake macOS system dialog. If the user enters his password, then the Trojan Proton will be installed. The malware is reportedly signed, Apple's macOS built-in protection gatekeeper therefore did not strike.


    

Proton also wants to pass the user's passwords
The Trojan collects information about the infected Mac, makes screenshots, reads the browser history and tried with the password entered to read the keychain - and thus gain insight into the collected access data of the user. Also, password management databases 1Password are apparently collected by Proton. However, these are protected by their own password, if the user did not deposit this in the key ring - or elsewhere on the Mac - the attacker would not have to be able to decrypt it theoretically.