Developers of the Mac-based RAT Proton apparently shipped the malware with genuine Apple code-signing signatures.
Developers of the Mac-based RAT Proton apparently shipped the malware with genuine Apple code-signing signatures.

Questions continue to swirl surround a mysterious Mac-based remote-access trojan (RAT) malware program called Proton, which Apple addressed in an update last month to its anti-malware program, XProtect.

The threat garnered new attention last week after a Malwarebytes blog post cited a February report from Israeli-based dark web monitoring company Sixgill, whose researchers spotted the malware on a Russian cybercrime forum.

According to Sixgill, the malware gives the attacker root-access privileges, in all likelihood due to exploitation of a previously unpatched zero-day vulnerability. The dark web ad and a YouTube video demonstration of the malware also touts such capabilities as “running real-time console commands and file-manager, keylogging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver's license and more,” Sixgill reported. Furthermore, “The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.”

Sixgill also noted that the Proton's developers managed to ship the RAT program with genuine Apple code-signing signatures, possibly by falsifying registration to the Apple Developer ID program or by using stolen developer credentials.

Sixgill told SC Media that it did not have a sample of the malware to analyze in order to confirm the claims of the malware's developer.

In February, Apple reportedly updated its XProtect program to defend against OSX.Proton.A, as well as the backdoor malware program XAgent.