14 DAY TRIAL // Hackers are now selling malware for Mac devices straight out on the dark web. They claim the malware is undetectable and provides hackers with the ability to take full control over MacOS devices by evading antivirus software.
Proton, as it has been named, the malware is a Remote Administration Tool that is currently being sold over Russian cybercrime message boards.
Discovered by Sixgill, a cyber intelligence company that is known for its work in detecting cyber attacks and sensitive data leaks originating from the Dark Web, Proton had an initial selling price of 100 BTC which, at current Bitcoin prices, makes it worth more than $100,000, but it is now being sold at around 40 BTC with unlimited installations. If the hacker only wants to install it on a single Mac, he'd only have to pay 2 BTC.
Full control in one malware
The malware allows attackers to take full control of the targeted device, including keylogging, webcam/screen surveillance, file uploadings, downloads, and more. Hackers get notified every time data is entered on the infected device.
“Proton can present a custom native window requesting information such as a credit card, driver's license and more. The malware also boasts the capability of iClloud access, even with 2FA enabled,” Sixgill notes in a blog post.
Proton is a real threat against Mac OS since hackers are selling this malware with genuine Apple code-signing signatures, indicating a sophisticated attack.
“The author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program. Sixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose,” reads the report.
It looks like an unpatched 0-day vulnerability allows the malware to gain root privileges. It is suspected that the author of the malware holds information about this 0-day vulnerability and did not share it with the folks over at Apple.
“At 40 Bitcoin (50000USD) for unlimited installs, and far more for access to the source code - this is still an expensive rat. Particularly considering RATs for MacOS are now available for free. It's likely this pricing is intended to limit the distribution - and so detection by security vendors,” AlienVault Security Researcher Chris Doman told Softpedia. “Whilst Proton is marketed on DarkWeb forums - it also has promotional Youtube videos and a (now down) public website. It may have attracted more attention than the malware author was hoping.”
Update: Adding commentary from Kyle Wilhoit, senior security researcher at DomainTools
"This latest Mac malware shows that OSX, like all other targeted operating systems, is vulnerable to several types of attacks. One particularly nasty malware used by a group called APT 28 exfiltrates iPhone backups stored on a compromised Mac. While many people think that only targeted attacks use Macintosh malware, that's not true. Macintosh has been recently targeted in a multitude of different ways, including adware, spyware, and other low-level styles of attacks," Wilhoit says.
"The price dropping is common among underground sites and forums. Typically, just like negotiating the price for a car, adversaries will negotiate the price lower than what's being asked, or the malware authors themselves will lower the price. If the sale price (100 BTC) doesn't get interest, the malware authors will continually lower price points until it starts garnering interest from prospective buyers," he added.