Proton is a Remote Access Tool for macOS. It was first published as a service in a Russian cybercrime forum and later variants of this malware were seen spreading in different ways.
Over time, researchers have discovered different applications containing the Proton malware. One of them was as a fake “Symantec Malware Detector”. Another was within a package of the “Elmedia Player” application which was somehow repackaged with the malware.
The malware will pop a message asking the user for credentials to gain root privileges on infected machine. To persist it creates a LaunchAgent to start itself after reboot. The malware has a wide range of commands available such as:
- Keyloggin – Passwords and data stealing – Remote access – Copy/Create/Delete files on infected machine – Download, Upload, Execute files – More…
For more details about Proton and its variants click on the links below.
- PROTON – A NEW MAC OS RAT
- HandBrake Hacked! - osx/proton (re)appears
- PROTON.B: WHAT THIS MAC MALWARE ACTUALLY DOES
- OSX/Proton spreading again through supply-chain attack
- OSX.Proton spreading through fake Symantec blog
- OSX/Proton Malware is Back! Here’s What Mac Users Need to Know