Hackers are selling the malware all over the dark web.
Hackers are now selling malware for Mac devices straight out on the dark web. They claim the malware is undetectable and provides hackers with the ability to take full control over MacOS devices by evading antivirus software.
Proton, as it has been named, the malware is a Remote Administration Tool that is currently being sold over Russian cybercrime message boards.
Discovered by Sixgill, a cyber intelligence company that is known for its work in detecting cyber attacks and sensitive data leaks originating from the Dark Web, Proton had an initial selling price of 100 BTC which, at current Bitcoin prices, makes it worth more than $100,000, but it is now being sold at around 40 BTC with unlimited installations. If the hacker only wants to install it on a single Mac, he’d only have to pay 2 BTC.
Full control in one malware
The malware allows attackers to take full control of the targeted device, including keylogging, webcam/screen surveillance, file uploadings, downloads, and more. Hackers get notified every time data is entered on the infected device.
“Proton can present a custom native window requesting information such as a credit card, driver’s license and more. The malware also boasts the capability of iClloud access, even with 2FA enabled,” Sixgill notes in a blog post.
Proton is a real threat against Mac OS since hackers are selling this malware with genuine Apple code-signing signatures, indicating a sophisticated attack.
“The author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program. Sixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose,” reads the report.
It looks like an unpatched 0-day vulnerability allows the malware to gain root privileges. It is suspected that the author of the malware holds information about this 0-day vulnerability and did not share it with the folks over at Apple.
“At 40 Bitcoin (50000USD) for unlimited installs, and far more for access to the source code – this is still an expensive rat. Particularly considering RATs for MacOS are now available for free. It’s likely this pricing is intended to limit the distribution – and so detection by security vendors,” AlienVault Security Researcher Chris Doman told Softpedia. “Whilst Proton is marketed on DarkWeb forums – it also has promotional Youtube videos and a (now down) public website. It may have attracted more attention than the malware author was hoping.”