A Trojanized version of Elmedia Player software for Mac delivered the newest version of the Proton backdoor, researchers said.
After getting on a system, the malware is able to maneuver around the OS and look up browser information, SSH, GnuPG, 1Password, and macOS keychain data, VPN configurations, and cryptocurrency wallets, said researchers at ESET.
“In the current case of Eltima Trojanized software, the attacker built a signed wrapper around the legitimate Elmedia Player and Proton. In fact, we observed what seems to be real-time repackaging and signing of the wrappers, all with the same valid Apple Developer ID,” the researchers said in a post.
“OSX/Proton is a RAT sold as a kit on underground forums,” the researchers said. “It was very briefly documented by Sixgill earlier this year.”
Apple has been notified and has revoked the certificate, and is currently in the process of invalidating the Developer ID used to sign the malicious application.
Eltima Software, the creators of the compromised application, pulled the malicious package from their site.
They say their infrastructure has now been cleansed and the Elmedia Player package is clean.
Eltima is yet to offer more details about their investigation.
Users can verify whether they’ve been infected by checking for the presence of com.Eltima.UpdaterAgent.plist in the System/Library/LaunchAgents/ directory. In addition, ESET researchers offered other indicators of compromise.
If you’ve been hit, the best way to make sure the system is thoroughly clean is to do a full OS reinstall.