'Proton' Mac trojan has Apple code-signing signatures, sold to 'customers' for $50K

Posted:
in macOS
Security researchers have discovered the existence of a new trojan dubbed "Proton" being marketed in hacking forums to online criminals, claiming to ship with genuine Apple code-signing signatures that could make it a greater risk to victims.




Found on Russian cybercrime forums, "Proton" is a remote access trojan (RAT) aimed at macOS systems, according to security firm Sixgill. Written in Objective C, allowing it to run without any dependencies, the malware is marketed by the creator as a "professional FUD surveillance and control solution, with which you can do almost everything with (a) target's Mac."

With root-access privileges, the list of potential actions includes keylogging, uploading and downloading files, screenshots, webcam access, and SSH and VNC connectivity. It is also claimed the malware can also present victims with a custom window, which could be used to request extra information, such as a credit card number.

The user's locally-stored data is not the only information at risk, as the researchers note the trojan also grants access to iCloud, even if the user has enabled two-factor authentication.

Sixgill advises the malware's creator managed to get the code signed by Apple, suggesting it has managed to pass through Apple's rigorous filtration process for third-party software developers. It is believed the developer has either falsified their registration to the Apple Developer ID Program or used stolen credentials, in order to get through the signing process.




Furthermore, Sixgill believes the malware is only able to get root privileges by using a "previously unpatched 0-day vulnerability" in macOS, one thought to be in the trojan creator's possession.

Despite its capabilities, the trojan still relies on existing methods to be infected on a target system. Users of Proton still have to disguise the malware with a custom name and icon, and to somehow trick targets into downloading and installing it.

The creator of Proton attempted to market it as a supposedly legitimate security tool, complete with a website advertising it as an ideal solution to prevent corporate espionage, to help administrators manage systems, and for parents to monitor their children's Internet usage. The website was quickly taken down shortly after Sixgill published its report.

Notably, the trojan's creator has cut the price of Proton for their potential "customers." Previously, the tool cost 100 bitcoins ($126,000) to acquire, with a license for unlimited installations, but criticism from others prompted a reduction to 40 bitcoins ($50,400) for unlimited installations, or 2 bitcoins ($2,512) for a single installation.

Proton is the latest in a recent string of malware discoveries targeting Macs, a platform considered to be more robust against attacks compared to Windows and other operating systems. In February, malware called "MacDownloader" was discovered as part of an attempt to hack individuals and companies in the U.S. defense industry, and human rights advocates, by posing as a Flash Player update.

In the same month, malware employing an auto-running macro in a Word document surfaced, using an old technique previously used to infect Windows systems. Later in February, a Russian hacking group accused of interfering with the 2016 U.S. presidential elections was found to have updated its "Xagent" malware package, expanding its reach from Windows, iOS, Android, and Linux devices to attack Macs.

Comments

  • Reply 1 of 13
    Serious shit!
  • Reply 2 of 13
    r00fus1r00fus1 Posts: 65member
    So when is Apple going to revoke the cert? I mean that's why code signing is a requirement, right?
    dysamoria
  • Reply 3 of 13
    sockrolidsockrolid Posts: 2,789member
    In February, malware called "MacDownloader" was discovered as part of an attempt to hack individuals and companies in the U.S. defense industry, and human rights advocates, by posing as a Flash Player update.
    Flash Player *is* malware.
    Isn't it?
    neo-techwatto_cobrabaconstang
  • Reply 4 of 13
    ktappektappe Posts: 823member
    r00fus1 said:
    So when is Apple going to revoke the cert? I mean that's why code signing is a requirement, right?
    It's likely Apple doesn't know which of the million certs they've issued is being used here. One way they could find out is to scour their records to try to figure out which cert has lies all over its application, but they might miss it. Another is to buy the thing to get a copy. 
  • Reply 5 of 13
    ktappe said:
    r00fus1 said:
    So when is Apple going to revoke the cert? I mean that's why code signing is a requirement, right?
    It's likely Apple doesn't know which of the million certs they've issued is being used here. One way they could find out is to scour their records to try to figure out which cert has lies all over its application, but they might miss it. Another is to buy the thing to get a copy. 

    Wouldn't apple have an idea of the kinds of s/w related to any given developer?  Or the kinds of functionality that the developer might be planning?
    dysamoriasergioz
  • Reply 6 of 13
    davendaven Posts: 696member
    ktappe said:
    r00fus1 said:
    So when is Apple going to revoke the cert? I mean that's why code signing is a requirement, right?
    It's likely Apple doesn't know which of the million certs they've issued is being used here. One way they could find out is to scour their records to try to figure out which cert has lies all over its application, but they might miss it. Another is to buy the thing to get a copy. 
    One install ~$2500. Buy a copy and revoke the cert.
    linkman
  • Reply 7 of 13
    dysamoriadysamoria Posts: 3,430member
    Boy this puts a huge blemish on Apple's certificate granting process. 
  • Reply 8 of 13
    linkmanlinkman Posts: 1,035member
    daven said:
    ktappe said:
    r00fus1 said:
    So when is Apple going to revoke the cert? I mean that's why code signing is a requirement, right?
    It's likely Apple doesn't know which of the million certs they've issued is being used here. One way they could find out is to scour their records to try to figure out which cert has lies all over its application, but they might miss it. Another is to buy the thing to get a copy. 
    One install ~$2500. Buy a copy and revoke the cert.
    That's all folks. Crisis over. Return to your normal lives. /thread closed
  • Reply 9 of 13
    sergiozsergioz Posts: 338member
    Caveat here is that hacker used stolen credentials, in order to get through the signing process where certificate belongs to legit developer! Revoking cert. would be equal to putting legit. dev. out of business. It's much simpler contain threat then cause all the drama! People that use Cisco Umbrella by OpenDNS are protected! https://umbrella.cisco.com/products/features/opendns-cisco-umbrella https://www.opendns.com
    edited March 2017
  • Reply 10 of 13
    jogujogu Posts: 9member
    "Sixgill advises the malware's creator managed to get the code signed by Apple, suggesting it has managed to pass through Apple's rigorous filtration process for third-party software developers. It is believed the developer has either falsified their registration to the Apple Developer ID Program or used stolen credentials, in order to get through the signing process. "
    Sorry, but this paragraph is pretty misleading. The process to get a macOS gatekeeper code signing certificate through "Apple's rigorous filtration process" is to manage to make a $99 payment in the online store and provide a piece of id that looks about right. See https://developer.apple.com/programs/enroll/ to get an idea of what you need, but I can promise that you don't need to be a criminal mastermind to obtain a code signing certificate that doesn't link back to you.
    edited March 2017
  • Reply 11 of 13
    davendaven Posts: 696member
    jogu said:
    "Sixgill advises the malware's creator managed to get the code signed by Apple, suggesting it has managed to pass through Apple's rigorous filtration process for third-party software developers. It is believed the developer has either falsified their registration to the Apple Developer ID Program or used stolen credentials, in order to get through the signing process. "
    Sorry, but this paragraph is pretty misleading. The process to get a macOS gatekeeper code signing certificate through "Apple's rigorous filtration process" is to manage to make a $99 payment in the online store and provide a piece of id that looks about right. See https://developer.apple.com/programs/enroll/ to get an idea of what you need, but I can promise that you don't need to be a criminal mastermind to obtain a code signing certificate that doesn't link back to you.
    No. There is more to it than that. I was an Apple app developer for years and even though I had a decade long history with them they did a background check on me and my company before issuing the DSA keys. I'm guessing that the keys this guy has were probably stolen. Possibly a developer sub contracted some development and passed the keys to the sub contractor and employee at the sub contractor passed them on.
    ravnorodom
  • Reply 12 of 13
    linkmanlinkman Posts: 1,035member
    sergioz said:
    Caveat here is that hacker used stolen credentials, in order to get through the signing process where certificate belongs to legit developer! Revoking cert. would be equal to putting legit. dev. out of business. It's much simpler contain threat then cause all the drama! People that use Cisco Umbrella by OpenDNS are protected! https://umbrella.cisco.com/products/features/opendns-cisco-umbrella https://www.opendns.com
    The legit developer can obtain a new certificate then reissue the apps with the new signature. Back in business!

    So with Cisco's product I can run all of the malware I want (and I'm talking the really bad stuff) and never have to worry?
  • Reply 13 of 13
    jogujogu Posts: 9member
    daven said:
    jogu said:
    "Sixgill advises the malware's creator managed to get the code signed by Apple, suggesting it has managed to pass through Apple's rigorous filtration process for third-party software developers. It is believed the developer has either falsified their registration to the Apple Developer ID Program or used stolen credentials, in order to get through the signing process. "
    Sorry, but this paragraph is pretty misleading. The process to get a macOS gatekeeper code signing certificate through "Apple's rigorous filtration process" is to manage to make a $99 payment in the online store and provide a piece of id that looks about right. See https://developer.apple.com/programs/enroll/ to get an idea of what you need, but I can promise that you don't need to be a criminal mastermind to obtain a code signing certificate that doesn't link back to you.
    No. There is more to it than that. I was an Apple app developer for years and even though I had a decade long history with them they did a background check on me and my company before issuing the DSA keys. I'm guessing that the keys this guy has were probably stolen. Possibly a developer sub contracted some development and passed the keys to the sub contractor and employee at the sub contractor passed them on.
    That doesn't match my experience; I've got Mac signing keys (and iOS enterprise keys) for multiple companies, and to my knowledge Apple has never done a background check on me or any of the companies. I think one time I had to email them a PDF of the company certificate (which is publicly available from the UK government for free) and that was the most in depth check. Maybe they already had enough information in my case.

    I've not needed to do a new registration with Apple for a couple of years, so it is possible they have got stricter recently.

    I'd still say it is pretty easy for a criminal to obtain certificates if they want, they just need to pay a legitimate person to act as the 'front'. The chances of Apple finding out and revoking the certificates are pretty low if they are only used in highly targeted attacks. Luckily, most of us are unlikely to be the subject of a highly targeted attack.


Sign In or Register to comment.