Proton Malware

The Proton Malware (aka OSX/Proton) is a Mac malware that possesses potent data-collecting capabilities. The Proton Malware is classified as a backdoor Trojan and has had several campaigns dedicated to its distribution. The first attempt to collect sensitive information is when OSX/Proton, masquerading as a legitimate installer, displays a pop-up window asking for the Mac profile's username and password in use. If the needed information is provided, the Proton Malware can start executing its threatening programming in earnest.

First, a backdoor is created back through the files /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist and /Library/.rand/updateragent.application. A number of commands can then be activated by the Command-and-Control (C2) server operated by the hackers. The Proton Malware can create, copy, delete, and download files on the infected machine, as well as upload files to its C2 infrastructure.

Numerous systems and personal details can be accessed by OSX/Proton. The Proton Malware can obtain the infected machine's hardware serial number, hostname, full name of the user, gateway details, browser information from several of the most popular browser - Chrome, Firefox, Safari and Opera. Cryptocurrency wallet addresses for Electrum, Bitcoin, and Armory also can be exfiltrated. Passwords and log-in credentials can be extracted from Keychain Access and 1Password password managers or the GNU Privacy Guard (GPG) cryptographic software suite.

The Proton Malware leaves the user's passwords in clear text format in several files dropped on the compromised machine:

• ~/.calisto/cred.dat
• ~/Library/VideoFrameworks/.crd
• /Library/.cachedir/.crd

If the files are not deleted specifically, any future infection could exploit the details in them to escalate its permissions and expand its functionality.

Numerous Campaigns Carried OSX/Proton as Payload

Cybersecurity experts have observed quite a few campaigns dedicated to distributing OSX/Proton. It was first detected in the wild when the DVD-ripping application HandBrake was hacked. The legitimate installer file was substituted with a compromised one on the application's official website to be downloaded by the unsuspecting visitors. A similar tactic was employed in another campaign when the Eltima Media site was hacked and two of their products - Elmedia Player and Folx, were modified and began dropping the Proton Malware. The cybercriminals then set up a fake Symantec website that pushed a fake Symantec application that contained OSX/Proton.

Currently, this malware is considered to be inactive. Advancements in malware prevention started disrupting its functionality on a core level resulting in its C2 servers being taken offline.