14 DAY TRIAL // Mac users who downloaded the HandBrake video file-transcoding app over the past week have a high chance of having downloaded a Proton-infected tool instead. This undetectable Mac malware was discovered a couple of months ago and has become quite prolific since then.
The new malware warning for Mac users of HandBrake comes after it was discovered that a mirror download server was hacked and the app replaced with malware.
The security warning was released over the weekend on HandBrake's forums where the post mentions that anyone who has downloaded HandBrake on Mac between May 2, 14:30 UTC and May 6, 11:00 UTC needs to verify the SHA1 / 256 sum of the file before running it and run a system check to see if they've been infected with a Trojan. According to the company, there's a 50/50 chance of having been infected if you've downloaded the app during this period.
"If you see a process called 'Activity_agent' in the OSX Activity Monitor application. You are infected. For reference, if you've installed a HandBrake.dmg with the following checksums, you will also be infected: SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793," the announcement reads.
In order to remove the malware, you have to open up the Terminal application and run several commands:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app
if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Then, you have to remove any "Handbrake.app" installs that may be on the device. It is advisable that, following the malware removal, you change all the passwords that may reside in your OSX KeyChain or any browser password stores.
What is Proton?
Proton, the malware the app was infected with, was discovered back in March. It is a Remote Administration Tool (RAT) that was being sold over Russian cybercrime message boards. Proton was originally being sold for 100 BTC, but the price dropped, at the time, to just 40 BTC with unlimited installations.
The malware gives hackers the power to take full control of the infected devices, including keylogging, webcam/screen surveillance, file uploadings, downloads, and more.
"Proton can present a custom native window requesting information such as a credit card, driver's license and more. The malware also boasts the capability of iCloud access, even with 2FA enabled," cyber intelligence company Sixgill noted in a blog post back in March.
The worst part was that the malware came with genuine Apple code-signing signature, indicating a sophisticated attack.
"The author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program. Sixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose," reads the report.