HandBrake for Mac Compromised with Proton Spyware

The handlers of the open source HandBrake video transcoder are warning anyone who recently downloaded the Mac version of the software that they’re likely infected with malware.
HandBrake warned users on Saturday of a compromise of one of its mirror download servers, and said anyone who grabbed the software between May 2 and May 6 could have also downloaded a variant of the OSX.PROTON Trojan onto their Mac system.
Related Posts
“Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan,” said an advisory. “You have 50/50 chance if you’ve downloaded HandBrake during this period.”
Apple, however, has since pushed out a XProtect signature preventing any new infections. HandBrake, meanwhile, advises its users to also change all passwords in their OSX KeyChain or passwords stored in their browsers.
HandBrake is free software that is used to convert video from a variety of formats to a supported codec. There are Windows, Mac and Linux versions. The warning was for the Mac version. The handlers advise verifying the SHA1 or SHA256 sum of the file before running it.
The bad SHA checksums are:
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793
“If you see a process called ‘Activity_agent’ in the OSX Activity Monitor application, you are infected,” the advisory said.
Proton is a remote access Trojan, or RAT, sold in Russian underground forums. Researchers at Sixgill published an analysis of the Mac malware, which is used to spy on the victim’s activities; it can monitor keystrokes, upload files to remote machines, download files from the web, steal screenshots and connected directly via SSH or a remote admin tool such as VNC.
“The malware is shipped with genuine Apple code-signing signatures,” the Sixgill report said. “This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program.”
The price, according to the researchers, is steep at around 100 Bitcoin ($163,600 today).
勒索软件来势凶猛,渐为网络犯罪巨头
Patrick Wardle, a Mac security expert, said on the Objective-See blog on Saturday that the Proton variant has zero coverage on VirusTotal by antimalware engines. Wardle said that when the infected HandBrake app runs, it asks via a phony authentication popup for the user’s credentials.
“If the user is tricked into providing a user name and password, the malware will install itself,” Wardle said, adding that the credentials allow the malware to elevate privileges.
By compromising the HandBrake mirror, the attackers were able to follow the road map provided by the other Mac malware such as KeRanger, which infected legitimate apps.
社交工程诈骗是斗智斗勇的博弈,道高一尽,魔高一丈,要不断跟踪新的诈骗手法,不断加强对用户安全防范意识的教育才行。

HandBrake also provided instructions for removing the Trojan from the Terminal application.
“The Download Mirror Server is going to be completely rebuilt from scratch so downloads may be a bit slower than usual while the primary picks up the load,” HandBrake said. “During this time, old versions of HandBrake will not be available.”
各国纷纷表示将举行网络安全演习,演习的目的是促进各成员国之间在维护网络安全方面进行更广泛的合作。

猜您喜欢

刘刚荣获ISO杰出成就奖 中国人首获该奖项
全民网络安全意识教育策略与资源
网络安全公益短片个人信息保护实战
2017中国十大宜居城市排名 第一名居然是它
COLORADOK5 CHARLOTTE-SHELLMAN
企业安全歌,唱红中国,唱响全球