MacOS RAT Spotted on the Darknet and Clearnet
Long gone are the days that Mac OS users can legitimately claim that malware only affects Windows machines. Malware in general spreads through our lives, daily. New pieces of malicious software appear daily too. Usually Windows machines and isolated browsers are the target but Appleâs Macintosh line is not exempt. As a testament to this statement, researchers found a new brand of malware, again targeting Mac OS.
Proton, the malware in question, took the form of a Remote Administration Tool or Remote Access Trojan, according to two demonstration videos on YouTube. The toolâs developer demonstrated Protonâs ability to monitor computers wirelessly. The entity primarily marketed, on YouTube, the RATâs ability to record keystrokes.
The firm that claimed credit for this malware discovery, SixGill, automatically âpinpoints and tracks illegal Dark Web hideouts.â Using their proprietary and âfully automated intelligent monitoring algorithms,â they found, Proton on âclosed Russian cybercrime message boards.â (Alphabay) An entity, or creator of the post on the Alphabay forums (forum thread renamed: âTo Be Deletedâ .Onion link).
On the Alphabay forums, a coder name âVexlerâ advertised the malware as an advanced keylogger. One feature several news outlets latched onto consisted of a Mac OS Gatekeeper âbypass.â He never clarified how he accomplished the bypass, but as techaeris.com pointed out, Proton might hijack the developer ID of a legitimate Mac App Store application. Gatekeeper only notices web-downloaded programs, so disguising Proton as a Mac App Store app added enhanced AV evasion. And, as âheâ mentioned, this allowed OTA updates so the hacker controlled future application updates as well.
He explained methods by which one could financially gain from purchasing the RAT. The few Alphabay customers who even responded to the forum post believed the price outweighed the value. SixGill claimed that a single license cost 2 BTC, but Vexler charged completely different prices. âJust came up with an idea to give a pleasant head start to all the prospective customers: 6 clients license for the price of JUST ONE; as low as $55 for a client,â Vexler wrote. And then, in a YouTube video demonstrating the product’s abilities, a single license appeared to cost 0.666 BTC.
One example use for Proton that Vexler gave on the AIphabay forums is displayed below. As seen, the end results depend on the “hacker’s ability to write a believable enough email:
It is time to create a unique trustworthy letter using the data you have aggregated [personal data from a previous”lesson], and there is something you should always have in mind: people ADORE free. For example, it can be a campaign letter from Amazon/eBay /paypal] suggesting to download its first macoS client and get $100 gift card after first successful login from it (of course, it should look exactly like official campaigns from Amazon/eBay /paypal, not just plain text with mistakes-it depends on your imagination and English grammar.
Obviously, letters from such companies must not contain rude mistakes to be taken seriously, only; or a letter from a bank, the cardholder have account in (it is especially good if you put account/card first/last 4 digits in the letter and/or billing address), suggesting, for instance, complimentary Quicken edition (leading macoS software in finance management)- even if your victim don’t need, he will almost certainly download it (because it is FREE) if you put enough effort in your letter. […] Don’t forget about SMTP-if you don’t have access to your victim’s account and don’t have SMTP, than 90% of your message will end up in spam.
He created the forum post on February 7, 2017. His clearnet websiteânow offlineâlanded in a Google crawler cache and the last cached form came from February 2, 2017. So the darknet posts came after the website’s creation. (Note: The site shared the prices found in the SixGill report about the Alphabay listing; the numbers existed, just not on the forum). The clearnet site hosted the same software but advertized a host of different purposes. www.ptn.is/store (cached .PDF) once hosted the storefront for Proton. Someone removed it did not long after the Sixgills threat report.
Below are the uses from his clearnet site:
Keylogger: Our solution includes a keylogger â a tool tracking input keystrokes. For forensic agencies we offer an extended version capable of logging secure inputs, or passwords.
Total Control: You can do anything remotely with your Mac: download file or delete sensitive information, reboot it or disable keyboard, upload a file to a computer which is not at the network.
Direct Connection: Our advanced plans offer SSH tunnel, allowing you to control a remote machine without intermediates. With the same technology you can easily establish VNC connection, which is similar to Remote Desktop.
Observers: With connection to the keyloggger, you can get notified each time a specific piece of information was entered, such as corporate credit card number, phrase like “hate the job” or “i hate my husband”.
Webcam Surveillance: You can easily grab a snapshot from Mac’s webcam. For forensic agencies there is a unique “lightless” feature preventing webcam’s green light to turn on.
Small Native Bundle: Our bundle’s size does not exceed 160 KB*. It is written in Objective C, which means no 3rd party software like Java required and because of size, it can be attached to a document, archive or even be written on a floppy disk.
* – taking a bundle without icons
Standalone Edition: Specially for forensic agencies we have developed a separate server application. All the data from your clients will seep right into your facility, not touching ours.
Password Reset: Should you forget a password, you can easily retrieve or reset it. Also, you are able to easily enable or disable FileVault remotely.
An undeniable discrepancy existed between the clearnet and dancer variants. He asked that the darknet listing be removed by admins and deleted his website. Who knows what happened. He has not responded to any of my requests for comment as of this article.
Sixgill deleted their entry on the topic as well.