Mac Version of Handbrake Encoder Tampered With Backdoor

On May 6th 2017, the handlers of the popular video-transcoding application Handbrake warned users of a compromised  mirror at  containing a variant of the mac specific, Trojan malware “Proton“. This infected version of Handbrake was estimated to be online from the dates of  May 2nd to May 6th. Furthermore, Mac security researcher Patrick Wardel showcased on his website that the particular variant of OSX.PROTON would prove to be undetectable by 55 of the most common anti-virus scans and applications, further obfuscating the danger to those who recently downloaded the program on their Mac devices.

According to Handbrake, any user who downloaded a copy of  HandBrake-1.0.7.dmg or earlier had a 50/50 chance of being infected given the hacked mirror was one of the two servers used to distribute the application download. Handbrake also also provided the SHA-1 and SHA-256 cryptographic hashes for the infected variant to users to help determine whether or not their particular copy of the application was infected.

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

The Infected Hashes in Question

How does Photon-Handbrake Work?

Upon initial run, the infected Handbrake prompts a window asking for the user to provide administrator access via their password showcasing the Handbrake logo and when given permission, the application will install in:

Fake Handbrake Access Prompt

In particular, viewing activity_agent in the OSX activity monitor was a solid tell at infection as the program would continue to run even after the application is terminated. This grants the malware elevated privilege to download, install and run scripts and further applications that will infect the system further and compromise the user’s privacy and security of their data.

What is Proton? What Can It Do?

As for the activity of Proton.OSX, the malware acts as a Remote Access Trojan sold and distributed for the purpose of logging, spying, and storing user’s activities and passwords via the use of keyloggers, remote uploading/downloading, screenshotting, SSH/VNC direct access.

According to Threatpost, this particular variant of Proton was signed and shipped with genuine Apple code-signing signatures, which helped obfuscate the malware from detection on machines and provide an added level of sophistication to the Trojan’s activity. This has even lead for the malware to be priced at around 100 bitcoins (163,000 USD) at black market price.

What Now?

Users who have downloaded Handbrake between May2nd-6th should check their hashes and scan their systems AS WELL as change any online passwords they may have used during the infection period (after first removing the malware). Users should also check to see if any other malware has been installed on their mac systems after infection to ensure no other malware has been installed via backdoor access. Finally, those using a mac system containing handbrake in corporate or business settings should inform their IT departments of any recent ongoing activity and regarding the existence of the Proton infected Handbrake to ensure the security of the company’s data and integrity of the devices.

How to Check My Hash In Case of Infection?

To check one’s own Hash one must enter the following in the Terminal app (located in Utilities) and compare your hash to the one Handbrake provided (and as seen on this page). If there is a match Delete your copy of the .dmg file, scan with an updated anti-virus/anti-malware application and re-download a newer version of the application and ensure the hash does not match.

shasum /path/to/HandBrake(version you downloaded number).dmg

Where Path/to/ is equal to where its stored on your computer and the version you downloaded

Additional Links:

Handbrake’s Offical Statement on the malware

Ars Technica take on the Handbrake Trojan

Malwarebytes explenation of Proton-Handbrake

Threatpost take on Proton-Handbrake


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s