ProtonRAT – A NEW MULTI OS RAT

The real threat behind the software is this: The malware is shipped with genuine Apple code-signing signatures. This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software and obtained genuine certifications for his program. Sixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose. Sixgill also believes that gaining root privileges on MAC OS is only possible by employing a previously unpatched 0-day vulnerability, which is suspected to be in possession of the author. Proton’s users then perform the necessary action of masquerading the malicious app as a genuine one, including a custom icon and name. The victim is then tricked into downloading and installing Proton.

CAPABILITIES

The malware in native Objective C, the advantage is that the malware does not require any dependencies. The author also claims the app is fully-undetected by any existing MAC OS anti-viruses currently in the market. He then continues to mention a comprehensive list of capabilities:

• Execute any bash command under root
• Monitor keystrokes (we even have tariff allowing to log passwords)
• Get notified each time your clients enters something
• Upload files to remote machine
• Download files from remote machine
• Connect directly via SSH/VNC to remote machine
• Get screenshots/webcam shots
• Satisfy gatekeeper bu choosing signed bundle
• Develop your own panel/program, bundle with our extensive API
• Get updates on the air
• and much more…