Proton malware is being sold for nearly £42,000
Proton malware is being sold for nearly £42,000

Cyber-criminals have been spotted offering the use of Proton malware for the Mac OS. Intelligence company, Sixgill discovered the advertisement of the malware on Russian message boards popular with cyber-criminals, going for 40 bitcoin.

Its vendors bill the malware as a “professional FUD (Fully undetectable) surveillance and control with which you can do almost everything with (your) target's Mac”.  The vendors have also claimed that Proton has yet to be detected by any antivirus for Mac OS.

Researchers confirmed in Sixgill's threat report that as a Remote Access Trojan, it allows “an attacker to obtain full control of the victim's computer”. It includes the ability to log keys, hijack webcams and take screenshots as well as create custom native windows requesting information from the victim.

The report notes that perhaps its most deadly quality is that it uses real Apple code-signing certificates. This means, add the authors, that Proton creators have managed to falsify Apple Developer ID Program registration or used stolen credentials. Its this edge that might contribute to the vendors labelling their product “fully undetectable”.

Though the price was originally put at 100 bitcoin (£104,770), before being lowered to its current 40 bitcoin (£41,908), it still an expensive piece. “Particularly considering RATs for MacOS are now available for free. It's likely this pricing is intended to limit the distribution - and so detection by security vendors”, Chris Doman, security researcher at AlienVault told SC Media UK.

The malware has received a good deal of attention, partly of its vendors doing. A public website for the malware advertised it as a legitimate tool for companies to surveil their workforce and parents to protect their children. A Youtube video (below) advertises the malware as a “complete macOS solution for remote control and surveillance”.

 

Doman added, “Whilst Proton is marketed on DarkWeb forums – it also has promotional Youtube videos and a (now down) public website. It may have attracted more attention than the malware author was hoping.”