Has genuine certification from Apple and evades antivirus software
News has emerged of yet another malware threat to Apple’s computers, this time in the form of a RAT (Remote Access Trojan) crafted to target macOS – and it has a major security sting in its tail.
The malware, which goes by the name of ‘Proton’, was discovered by security outfit Sixgill on an underground Russian cybercrime forum where developers try to sell their exploitative wares to other malicious users of the dark web.
This particular little RAT is dangerous for two reasons: firstly, simply because of the amount of nefarious tricks it can pull off on the victim’s machine, and secondly, the fact that it comes with genuine certification direct from Apple, and according to the author the Trojan is undetectable by current macOS antivirus software (which is obviously very worrying indeed).
On the second point, Sixgill explains that the author must have somehow slipped the software through the net of Apple’s filtration processes which macOS devs are subject to, possibly by using stolen developer credentials (or via a falsified registration for the dev program).
The net result being that proper code-signed signatures from Apple ship with the malware, lending the Trojan legitimacy.
Cybercriminals using the malware will still have to tuck it away in an installer (for a legitimate-sounding program) and trick the user into firing it up. As ever, it pays to be cautious about anything you’re installing on your computer.
According to Sixgill, the malware uses an unpatched zero-day vulnerability to gain root privileges on macOS.
Hatful of nastiness
As to what can be carried out on the victim’s machine once it’s compromised, that includes remote command execution, uploading and/or downloading files, logging key presses (to steal passwords), taking screenshots, compromising the webcam, and accessing iCloud accounts (even bypassing two-factor authentication).
A whole hatful of nastiness in other words, and apparently the RAT is also capable of popping up a custom window to demand details such as a credit card number.
Proton is currently being sold on the dark web for around 40 Bitcoins (£40,000, $50,000 or AU$65,000) for the version which allows unlimited installations (i.e. the violation of unlimited victims).
Other recent threats to the Mac include the Xagent malware, a modular backdoor linked to Russian hacking outfit ‘Fancy Bear’, and the revelation that macro-based Word document attacks are now being aimed at Apple’s computers. No matter what desktop OS you’re running, security should always be a top priority.