S0279 Proton
Proton is a macOS backdoor focusing on data theft and credential access 1.
| Item | Value |
|---|---|
| ID | S0279 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 22 January 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.003 | Sudo and Sudo Caching | Proton modifies the tty_tickets line in the sudoers file.1 |
| enterprise | T1560 | Archive Collected Data | Proton zips up files before exfiltrating them.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | Proton uses macOS’ .command file type to script actions.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | Proton persists via Launch Agent.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.001 | Keychain | Proton gathers credentials in files for keychains.1 |
| enterprise | T1555.003 | Credentials from Web Browsers | Proton gathers credentials for Google Chrome.1 |
| enterprise | T1555.005 | Password Managers | Proton gathers credentials in files for 1password.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Proton uses an encrypted file to store commands and configuration values.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Proton kills security tools like Wireshark that are running.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.002 | Clear Linux or Mac System Logs | Proton removes logs from /var/logs and /Library/logs.1 |
| enterprise | T1070.004 | File Deletion | Proton removes all files in the /tmp directory.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Proton uses a keylogger to capture keystrokes.1 |
| enterprise | T1056.002 | GUI Input Capture | Proton prompts users for their credentials.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.005 | VNC | Proton uses VNC to connect into systems.1 |
| enterprise | T1113 | Screen Capture | Proton captures the content of the desktop with the screencapture binary.1 |