MacOS Proton RAT strain with potential zero-day bug up for sale in Dark Web

Researchers have found a new version of the Mac malware which can take full control of your PC.
Written by Charlie Osborne, Contributing Writer

A new variant of the Mac Trojan Proton RAT has been discovered in the internet underground which claims to avoid all Mac antivirus sweeps.

According to security researchers from Sixgill, the new malware strain is being touted on popular Russian cybercrime forums as a way to compromise Mac machines for the purposes of spying and theft.

The RAT, dubbed Proton, is intended solely for Apple Mac machines. Written in native Objective C, the malware is apparently undetected by existing Mac antivirus software and can grant attackers full, remote access to a victim's PC.

Proton RAT is apparently capable of running real-time console commands and file manipulation, keylogging, SSH/VNC connectivity, screenshot capture, webcam operation, and also has "the ability to present a custom native window requesting information such as a credit card, driver's license and more," according to the team.

"The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled," Sixgill says.


A screenshot of the forum post marketing the Trojan.

This vast list of dangerous capabilities has one real, true threat, Sixgill says, which is the shipment of the malware with genuine Apple code-signing signatures.

If this proves to be true, the developer of Proton RAT has been able to dupe Apple's security measures and strict filters which are placed on third-party developers of Mac OS software. If so, the developer has managed to obtain genuine certificates for the malicious code, which throws Apple home security systems wide open.

According to the security team, this may be because the malware developer has slipped through the net and falsified their registration to the Apple Developer ID Program, or alternatively, stolen credentials are in play.

"Sixgill also believes that gaining root privileges on MAC OS is only possible by employing a previously unpatched 0-day vulnerability, which is suspected to be in possession of the author," the researchers say.

In order to gain access to a PC, Proton users masquerade the app as genuine software, and once downloaded and installed, the malware begins its work. Proton RAT is often displayed as true surveillance software, useful for companies seeking to monitor employee devices, parents who want to keep an eye on their kid's online activities, or for spouses looking to catch out a cheating partner.

In the past, the purchase price for Proton RAT was a steep $100,000, however, an unlimited install version now costs under 40 Bitcoin -- up to $50,000 -- and a license to install the malware on one system costs only 2 BTC, or roughly $2,500.

In January, researchers from Malwarebytes revealed malware strain Quimitchin, created with ancient code, was being used in campaigns against biomedical facilities.

ZDNet has reached out to Apple and will update if we hear back.

How to lock up your digital life and privacy in an hour (in pictures)

The USG: the ultimate security tool against bad USB devices:

Editorial standards