Proton is a macOS backdoor focusing on data theft and credential access [1].

ID: S0279
Platforms: macOS
Version: 1.2
Created: 17 October 2018
Last Modified: 22 January 2021

Techniques Used

Domain ID Name Use
Enterprise T1548 .003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Proton modifies the tty_tickets line in the sudoers file.[1]

Enterprise T1560 Archive Collected Data

Proton zips up files before exfiltrating them.[1]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Proton uses macOS' .command file type to script actions.[1]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

Proton persists via Launch Agent.[1]

Enterprise T1555 .001 Credentials from Password Stores: Keychain

Proton gathers credentials in files for keychains.[1]

.003 Credentials from Password Stores: Credentials from Web Browsers

Proton gathers credentials for Google Chrome.[1]

.005 Credentials from Password Stores: Password Managers

Proton gathers credentials in files for 1password.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Proton uses an encrypted file to store commands and configuration values.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Proton kills security tools like Wireshark that are running.[1]

Enterprise T1070 .002 Indicator Removal: Clear Linux or Mac System Logs

Proton removes logs from /var/logs and /Library/logs.[1]

.004 Indicator Removal: File Deletion

Proton removes all files in the /tmp directory.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Proton uses a keylogger to capture keystrokes.[1]

.002 Input Capture: GUI Input Capture

Proton prompts users for their credentials.[1]

Enterprise T1021 .005 Remote Services: VNC

Proton uses VNC to connect into systems.[1]

Enterprise T1113 Screen Capture

Proton captures the content of the desktop with the screencapture binary.[1]