Apple recently patched macOS security software Xprotect so it can identify popular malware like Xagent. The same update included a fix for several other types of malware, including one that was previously unknown: OSX.Proton.A.
Proton may be largely unknown to the public, but cybersecurity firm Sixgill, which specializes in discovering malware that originates on the dark web, identified the threat in a now deleted blog post from early February. A PDF report version of the article is still live on their website, and a Sixgill representative verified that it was deleted due to problems with the blog section of their website but will be reposted later on. The PDF is identical to the blog post.
Proton was discovered in “a post in one of the leading, closed Russian cybercrime message boards,” Sixgill said. The author was offering Proton for sale on the forum for the initial cost of 100 Bitcoins but has since lowered the price to 40 BTC, which still amounts to nearly $50,000.
What Proton is capable of
Apple may have updated Xprotect to detect Proton but there’s no reason to assume it isn’t a threat.
One of the biggest concerns about Proton is how unknown it is. Malwarebytes Labs’ article on Proton says that they have been unable to find a sample of it, both websites associated with it are down, and they also assert that Sixgill’s analysis seems to have been completely done from information they found on the web and not the malware itself.
See: Think Apple computers are still malware immune? This new attack proves otherwise (TechRepublic)
All that information, or lack thereof, means the cybersecurity community is largely in the dark about how big of a threat Proton actually is. A YouTube channel associated with Proton has two videos showing what it’s capable of, and what they reveal is truly frightening.
Figure A comes from the Sixgill report on Proton and is a direct screen capture from the cybercrime forum where it was discovered. All of those capabilities, as shown in the YouTube videos, can be accessed from a web console once the Proton client is installed on a target machine. It can even bypass Gatekeeper by spoofing an Apple signature on an install bundle.
What Proton can do is obvious—they plastered it all over their website and cybercrime forums. How it’s made is unknown, aside from the author’s claim of writing it in Objective C.
Planning Proton protection
It’s difficult, if not impossible, to secure computers when you have no idea what the threat is. Apple’s claim to have added Proton detection to Xprotect is a good first step, but in all likelihood it will only last as long as it takes for the author to change their code.
See: The state of malware: 4 big takeaways from AV-TEST’s 2016 report (TechRepublic)
With the threat largely unknown, and assumedly undetectable, the only steps that can be taken are proactive and protective ones that should already be a part of a solid cybersecurity SOP:
- Keep all machines up to date, either manually or via group policy.
- Enforce policies that only allow software to be installed directly from the macOS App Store.
- Require two-factor authentication whenever possible. Even if data is stolen two-factor can make accessing it more difficult.
- Set aggressive email and web filters to prevent users from downloading and installing malware.
- Schedule regular employee education sessions on what malware is, where it comes from, how to recognize it, and how to report suspicious activity to IT.
The three big takeaways for TechRepublic readers:
- A recently discovered macOS malware called Proton is capable of complete control over a host machine and is completely invisible to Gatekeeper, Apple’s built-in security software.
- Apple added definitions for Proton into a recent Xprotect update, but it is unknown how effective they will be or how long it will take for the author to modify the code.
- IT and users should assume that Proton and RATs (remote administration tool) like it are impossible to detect and be proactive about security before it’s too late.
Source: SANS ISC SecNewsFeed @ March 2, 2017 at 11:54AM