Proton is a macOS backdoor focusing on data theft and credential access [1].

ID: S0279
Platforms: macOS

Version: 1.0

Techniques Used

EnterpriseT1081Credentials in FilesProton gathers credentials in files for chrome, 1password, and keychains.[1]
EnterpriseT1002Data CompressedProton zips up files before exfiltrating them.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationProton uses an encrypted file to store commands and configuration values.[1]
EnterpriseT1089Disabling Security ToolsProton kills security tools like Wireshark that are running.[1]
EnterpriseT1107File DeletionProton removes all files in the /tmp directory.[1]
EnterpriseT1070Indicator Removal on HostProton removes logs from /var/logs and /Library/logs.[1]
EnterpriseT1056Input CaptureProton uses a keylogger to capture keystrokes.[1]
EnterpriseT1141Input PromptProton prompts users for their credentials.[1]
EnterpriseT1159Launch AgentProton persists via a Launch Agent.[1]
EnterpriseT1021Remote ServicesProton uses VNC to connect into systems.[1]
EnterpriseT1113Screen CaptureProton captures the content of the desktop with the screencapture binary.[1]
EnterpriseT1064ScriptingProton uses macOS' .command file type to script actions.[1]
EnterpriseT1206Sudo CachingProton modifies the tty_tickets line in the sudoers file.[1]