Proton RAT v220.127.116.11
The real threat behind the software is this: The malware is shipped with genuine Apple code-signing signatures. This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software and obtained genuine certifications for his program.
Sixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose. Sixgill also believes that gaining root privileges on MAC OS is only possible by employing a previously unpatched 0-day vulnerability, which is suspected to be in possession of the author. Proton’s users then perform the necessary action of masquerading the malicious app as a genuine one, including a custom icon and name. The victim is then tricked into downloading and installing Proton.
The malware in native Objective C, the advantage is that the malware does not require any dependencies. The author also claims the app is fully-undetected by any existing MAC OS anti-viruses currently in the market. He then continues to mention a comprehensive list of capabilities:
Execute any bash command under root
Monitor keystrokes (we even have tariff allowing to log passwords)
Get notified each time your clients enters something
Upload files to remote machine
Download files from remote machine
Connect directly via SSH/VNC to remote machine
Get screenshots/webcam shots
Satisfy gatekeeper bu choosing signed bundle
Develop your own panel/program, bundle with our extensive API
Get updates on the air
and much more…