news
February 12, 2017by Cybersixgill

Proton - A New MAC OS RAT

BACKGROUND - THE CASE OF THE PROTON MALWARE

Sixgill researchers have encountered a post in one of the leading, closed Russian cybercrime message boards. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. The author offered this product in one of the leading underground cybercrime markets. This report contains information about the malware.

CAPABILITIES OF THE PROTON MALWAREThe author claims to have written the malware in native Objective C, the advantage being that the malware does not require any dependencies. The author also claims the app is fully-undetected by any existing MAC OS anti-viruses currently in the market. He then continues to mention a comprehensive list of capabilities:

Figure 1: Proton’s ad as published in a major cybercrime marketplace.

The malware includes root-access privileges and features allowing an attacker to obtain full control of the victim’s computer. Its capabilities include: running real-time console commands and file-manager, keylogging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver’s license and more. The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.

The real threat behind the software is this: The malware is shipped with genuine Apple code-signing signatures. This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program. Cybersixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose. Cybersixgill also believes that gaining root privileges on MAC OS is only possible by employing a previously unpatched 0-day vulnerability, which is suspected to be in possession of the author. Proton’s users then perform the necessary action of masquerading the malicious app as a genuine one, including a custom icon and name. The victim is then tricked into downloading and installing Proton.

The purchase process occurs on a dedicated website. The website includes some promotional material related to the malware, a login system and the possibility to pay for the product.

Figure 2: The official website for Proton

Ever the cynics, fraudsters keep finding new ways of advertising their malware under the premise of legitimate cover stories. Proton’s website is no different:

Figure 3: Product description, found in Proton’s official websiteA short video demonstrating the installation process for Proton was uploaded to YouTube.

PRICING OF THE PROTON MALWARE

At first, the asking price for the product was extremely steep (~100BTC, equivalent to roughly $100,000), but after meeting critique from his peers, the prices were significantly lowered. A version with unlimited installations costs ~40BTC, while a license to install on a single PC with genuine apple certifications would set a cybercriminal back only 2BTC.

You may also like

CSG-BlackCat Healthcare Blog-Thumbnail

March 14, 2024

BlackCat Ransomware Group Targets Healthcare Sector: Recent Activities and Mitigation Strategies

Read more
State of the Underground Blog 1 thumbnail

March 06, 2024

State of the Underground 2024: The good, the bad, and the ugly in cybersecurity trends

Read more
CSG-Lockbit Reemergence Blog-Thumbnail

March 04, 2024

LockBit Ransomware Group's Re-emergence: Immediate Threats and Organizational Awareness

Read more