Hackers Selling Undetectable Mac OS Malware on Russian Cybercrime Forums
Cyber intelligence company Sixgill discovered a new malware threat for Mac devices selling on the dark web. The new malware is offered on one of the leading, closed Russian cybercrime message boards. Researchers classified the dubbed Proton Rat as a Remote Administration Tool, while the creator of the threat claims it is undetectable and allows attackers to take full control of the infected device. The malware is written in native Objective-C and all the functions that it offers are made possible through its ability to evade any anti-virus software currently available on the market.
The initial selling price of Proton on the dark web was as high as 10 BTC, which at the current exchange rate for Bitcoins could be not less than $100,000. It looks like sales did not take off at that price point, so subsequently, the hacker offered the malware at 40 BTC, also adding the possibility for unlimited installations. Additionally, there is the option to purchase only one license certificate to deploy Proton on one single Mac device, in which case the cost for the client will be only 2 BTC. The creator of Proton has set up a dedicated website on which the purchase of the malware is processed. On that website, potential clients can pay for the malware, but also find some promotional materials and a login system.
The author of Proton has provided an extensive list of all the capabilities that the new malware has. It is supposed to be a "professional surveillance & control solution" with which his clients can do pretty much everything on the targeted Mac PC. The list shows the malware allows the attackers to take full control of the targeted computer as it includes root access privileges and features. Proton also has a keylogging function through which it can record every single keystroke the victim makes, giving thus hackers unauthorized access to all sorts of confidential information like passwords, usernames, credit card data and so on. Furthermore, Proton can operate webcams, manage files, execute real-time console commands, make screenshots. It also offers SSH/VNC connectivity and can display a customized native window requesting the victim to put in information like driver's license and credit card numbers, and much more.
The owners of the malware get a notification each time the victim enters data on the Mac device. The author of Proton even claims that the malware can get iCloud access even with enabled two-factor authentication.
The new threat is particularly dangerous as the purchasers of Proton can disguise the malware as a regular application on Apple store with a custom name and icon, and then trick potential victims into downloading and installing the app.
Proton comes with a genuine Apple certification, and researchers believe that this is only possible if its creator somehow managed to get through all the rigorous authorization procedures that developers of third-party software for Mac OS have to go through in order to get their program on the official Apple store. One possibility to achieve this is to use stolen developer credentials; the other is to falsify registration to the Apple Develop ID Program, all of these implying that the new malware threat should by no means be underestimated. Moreover, the researchers suspect that Proton's author exploits an unpatched 0-day vulnerability in Mac OS that Apple is still not aware of since that is the only way to get root privileges on Mac devices. Without any doubt, this new malware looks capable of performing sophisticated attacks as users can hardly distinguish it from a legit Apple application.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.