February 12, 2017by Cybersixgill

Proton - A New MAC OS RAT


Sixgill researchers have encountered a post in one of the leading, closed Russian cybercrime message boards. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. The author offered this product in one of the leading underground cybercrime markets. This report contains information about the malware.

CAPABILITIES OF THE PROTON MALWAREThe author claims to have written the malware in native Objective C, the advantage being that the malware does not require any dependencies. The author also claims the app is fully-undetected by any existing MAC OS anti-viruses currently in the market. He then continues to mention a comprehensive list of capabilities:

Figure 1: Proton’s ad as published in a major cybercrime marketplace.

The malware includes root-access privileges and features allowing an attacker to obtain full control of the victim’s computer. Its capabilities include: running real-time console commands and file-manager, keylogging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver’s license and more. The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.

The real threat behind the software is this: The malware is shipped with genuine Apple code-signing signatures. This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program. Cybersixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose. Cybersixgill also believes that gaining root privileges on MAC OS is only possible by employing a previously unpatched 0-day vulnerability, which is suspected to be in possession of the author. Proton’s users then perform the necessary action of masquerading the malicious app as a genuine one, including a custom icon and name. The victim is then tricked into downloading and installing Proton.

The purchase process occurs on a dedicated website. The website includes some promotional material related to the malware, a login system and the possibility to pay for the product.

Figure 2: The official website for Proton

Ever the cynics, fraudsters keep finding new ways of advertising their malware under the premise of legitimate cover stories. Proton’s website is no different:

Figure 3: Product description, found in Proton’s official websiteA short video demonstrating the installation process for Proton was uploaded to YouTube.


At first, the asking price for the product was extremely steep (~100BTC, equivalent to roughly $100,000), but after meeting critique from his peers, the prices were significantly lowered. A version with unlimited installations costs ~40BTC, while a license to install on a single PC with genuine apple certifications would set a cybercriminal back only 2BTC.

You may also like

View from the entrance of a tunnel with tracks extending towards a futuristic, dystopian cityscape.

April 19, 2024

Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware

Read more
SOTU-Ransomware blog thumbnail

April 17, 2024

State of the Underground 2024: Two ways to guard against the ongoing threat of ransomware

Read more
Access for Sale Blog-Thumbnail

April 16, 2024

Cybersixgill’s Access Currently for Sale - high-value intelligence just got even better

Read more