Proton is a macOS backdoor that focuses on data theft and credential access. It affects the following operating systems: macOS. Proton gathers credentials in files for keychains, 1password, and Google Chrome. It uses an encrypted file to store commands and configuration values. Proton removes logs from /var/logs and /Library/logs. Proton uses VNC to connect into systems. Proton zips up files before exfiltrating them. Proton kills security tools like Wireshark that are running. Proton modifies the tty_tickets line in the sudoers file. Proton removes all files in the /tmp directory. Proton persists via Launch Agent. Proton uses a keylogger to capture keystrokes.
Proton Malware Capabilities
Proton may use various methods to acquire credentials from a system, including Keychain, web browsers, and third-party password managers. They may also use screen capturing and system logs to gather information. Additionally, Proton may use VNC to remotely control machines.
- Proton is a tool that may be used to acquire credentials from Keychain and other password managers, as well as to abuse Unix shell commands and scripts.
- Proton may also acquire credentials from web browsers by reading files specific to the target browser, or by mimicking common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt.
- Proton may attempt to take screenshots or clear system logs to hide evidence of an intrusion. VNC may be used to remotely control machines.
- Proton may compress and/or encrypt data that is collected prior to exfiltration in order to obfuscate the collected data and minimize the amount of data sent over the network. Additionally, Proton may modify and/or disable security tools to avoid detection, and may use sudo caching and/or the sudoers file to elevate privileges.
- Proton may delete files left behind by the actions of their intrusion activity. This can include malware, tools, or other non-native files dropped or created on a system by an adversary.
- Proton may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. This could allow Proton to install malware or other malicious payloads without the user's knowledge or consent.
- Proton may log user keystrokes in order to capture credentials as they are typed. This may be used to gain access to new opportunities when other methods (such as OS credential dumping) are not successful. Keylogging can be a time-consuming process, so an adversary may need to intercept keystrokes for a significant period of time before they are able to capture any useful information.
Ways to Mitigate Proton Malware Attacks Capabilities
- The above text discusses how to mitigate Proton malware attacks. One way is to monitor system calls to the keychain, which can help identify suspicious processes that are trying to access it. Another way is to restrict script usage on systems where it is not commonly used, as this can indicate that a malicious script is running. Finally, API calls, file read events, and processes can be monitored for suspicious activity that could indicate an attempt to steal passwords from a password manager.
- Proton malware can be mitigated by detecting the action of deobfuscating or decoding files or information, identifying web browser files that contain credentials, and monitoring process execution for unusual programs.
- The Proton malware attack can be mitigated by monitoring for screen capture behavior and file system modification. VNC use may be legitimate, but other activity after a remote login may be suspicious.
- The Proton can be mitigated by using archival software and archived files to detect the presence of the malware. Additionally, security tools and services can be killed or stopped by monitoring processes and command-line arguments. Finally, the use of auditd on Linux systems can help to identify when a user's ID and effective ID are different.
- Other ways to mitigate Proton malware infections include:,monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network, monitoring for Launch Agent creation, and monitoring for keylogging API calls.
