include "../../MachO.yara" rule malware_macos_proton_rat_generic { meta: description = "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/" reference = "https://objective-see.com/blog/blog_0x1D.html" author = "@mimeframe" md5 = "6a2d0c8b20efc3fa283176a4bc76d6fd" strings: // https://github.com/facebook/SocketRocket $a1 = "SRWebSocket" nocase wide ascii $a2 = "SocketRocket" nocase wide ascii // https://github.com/joeroback/SSHTunnel/ $b1 = "SSH tunnel not launched" nocase wide ascii $b2 = "SSH tunnel still running" nocase wide ascii $b3 = "SSH tunnel already launched" nocase wide ascii $b4 = "Entering interactive session." nocase wide ascii condition: MachO and any of ($a*) and any of ($b*) }