Proton

Proton is a Remote Access Tool for macOS. It was first published as a service in a Russian cybercrime forum and later variants of this malware were seen spreading in different ways.

Source: SIXGILL

Over time, researchers have discovered different applications containing the Proton malware. One of them was as a fake “Symantec Malware Detector”. Another was within a package of the “Elmedia Player” application which was somehow repackaged with the malware.

Source: Malwarebytes

The malware will pop a message asking the user for credentials to gain root privileges on infected machine. To persist it creates a LaunchAgent to start itself after reboot. The malware has a wide range of commands available such as:

• Keyloggin – Passwords and data stealing – Remote access – Copy/Create/Delete files on infected machine – Download, Upload, Execute files – More…

Source: CheckPoint

For more details about Proton and its variants click on the links below.

Links:

• PROTON – A NEW MAC OS RAT
• HandBrake Hacked! - osx/proton (re)appears
• PROTON.B: WHAT THIS MAC MALWARE ACTUALLY DOES
• OSX/Proton spreading again through supply-chain attack
• OSX.Proton spreading through fake Symantec blog
• OSX/Proton Malware is Back! Here’s What Mac Users Need to Know

Samples:
0935a43ca90c6c419a49e4f8f1d75e68cd70b274
8cfa551d15320f0157ece3bdf30b1c62765a93a5