Proton

Proton is a macOS backdoor focusing on data theft and credential access ^[1].

ID: S0279

ⓘ

Type: MALWARE

ⓘ

Platforms: macOS

Version: 1.2

Created: 17 October 2018

Last Modified: 22 January 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1555	.001	从密码存储中获取凭证: Keychain	Proton gathers credentials in files for keychains.^[1]
		.003	从密码存储中获取凭证: Credentials from Web Browsers	Proton gathers credentials for Google Chrome.^[1]
		.005	从密码存储中获取凭证: Password Managers	Proton gathers credentials in files for 1password.^[1]
Enterprise	T1543	.001	创建或修改系统进程: Launch Agent	Proton persists via Launch Agent.^[1]
Enterprise	T1140		反混淆/解码文件或信息	Proton uses an encrypted file to store commands and configuration values.^[1]
Enterprise	T1059	.004	命令与脚本解释器: Unix Shell	Proton uses macOS' .command file type to script actions.^[1]
Enterprise	T1562	.001	妨碍防御: Disable or Modify Tools	Proton kills security tools like Wireshark that are running.^[1]
Enterprise	T1113		屏幕捕获	Proton captures the content of the desktop with the screencapture binary.^[1]
Enterprise	T1560		归档收集数据	Proton zips up files before exfiltrating them.^[1]
Enterprise	T1548	.003	滥用权限提升控制机制: Sudo and Sudo Caching	Proton modifies the tty_tickets line in the sudoers file.^[1]
Enterprise	T1070	.002	移除指标: Clear Linux or Mac System Logs	Proton removes logs from `/var/logs` and `/Library/logs`.^[1]
		.004	移除指标: File Deletion	Proton removes all files in the /tmp directory.^[1]
Enterprise	T1056	.001	输入捕获: Keylogging	Proton uses a keylogger to capture keystrokes.^[1]
		.002	输入捕获: GUI Input Capture	Proton prompts users for their credentials.^[1]
Enterprise	T1021	.005	远程服务: VNC	Proton uses VNC to connect into systems.^[1]

References

Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.