February 12, 2017by Cybersixgill

Proton - A New MAC OS RAT


Sixgill researchers have encountered a post in one of the leading, closed Russian cybercrime message boards. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. The author offered this product in one of the leading underground cybercrime markets. This report contains information about the malware.

CAPABILITIES OF THE PROTON MALWAREThe author claims to have written the malware in native Objective C, the advantage being that the malware does not require any dependencies. The author also claims the app is fully-undetected by any existing MAC OS anti-viruses currently in the market. He then continues to mention a comprehensive list of capabilities:

Figure 1: Proton’s ad as published in a major cybercrime marketplace.

The malware includes root-access privileges and features allowing an attacker to obtain full control of the victim’s computer. Its capabilities include: running real-time console commands and file-manager, keylogging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver’s license and more. The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.

The real threat behind the software is this: The malware is shipped with genuine Apple code-signing signatures. This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program. Cybersixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose. Cybersixgill also believes that gaining root privileges on MAC OS is only possible by employing a previously unpatched 0-day vulnerability, which is suspected to be in possession of the author. Proton’s users then perform the necessary action of masquerading the malicious app as a genuine one, including a custom icon and name. The victim is then tricked into downloading and installing Proton.

The purchase process occurs on a dedicated website. The website includes some promotional material related to the malware, a login system and the possibility to pay for the product.

Figure 2: The official website for Proton

Ever the cynics, fraudsters keep finding new ways of advertising their malware under the premise of legitimate cover stories. Proton’s website is no different:

Figure 3: Product description, found in Proton’s official websiteA short video demonstrating the installation process for Proton was uploaded to YouTube.


At first, the asking price for the product was extremely steep (~100BTC, equivalent to roughly $100,000), but after meeting critique from his peers, the prices were significantly lowered. A version with unlimited installations costs ~40BTC, while a license to install on a single PC with genuine apple certifications would set a cybercriminal back only 2BTC.

You may also like


June 01, 2023

How to combat credential stuffers

Read more
Analyst looking at multiple monitors

May 31, 2023

Underground chatter about malvertising is on the rise

Read more
CPO Gabi reisch

May 25, 2023

Cybersixgill generative AI sets a new industry standard for CTI

Read more