On May 6th 2017, the handlers of the popular video-transcoding application Handbrake warned users of a compromised mirror at download.handbrake.fr containing a variant of the mac specific, Trojan malware “Proton“. This infected version of Handbrake was estimated to be online from the dates of May 2nd to May 6th. Furthermore, Mac security researcher Patrick Wardel showcased on his website that the particular variant of OSX.PROTON would prove to be undetectable by 55 of the most common anti-virus scans and applications, further obfuscating the danger to those who recently downloaded the program on their Mac devices.
According to Handbrake, any user who downloaded a copy of HandBrake-1.0.7.dmg or earlier had a 50/50 chance of being infected given the hacked mirror was one of the two servers used to distribute the application download. Handbrake also also provided the SHA-1 and SHA-256 cryptographic hashes for the infected variant to users to help determine whether or not their particular copy of the application was infected.
The Infected Hashes in Question
How does Photon-Handbrake Work?
Upon initial run, the infected Handbrake prompts a window asking for the user to provide administrator access via their password showcasing the Handbrake logo and when given permission, the application will install in:
In particular, viewing activity_agent in the OSX activity monitor was a solid tell at infection as the program would continue to run even after the application is terminated. This grants the malware elevated privilege to download, install and run scripts and further applications that will infect the system further and compromise the user’s privacy and security of their data.
What is Proton? What Can It Do?
As for the activity of Proton.OSX, the malware acts as a Remote Access Trojan sold and distributed for the purpose of logging, spying, and storing user’s activities and passwords via the use of keyloggers, remote uploading/downloading, screenshotting, SSH/VNC direct access.
According to Threatpost, this particular variant of Proton was signed and shipped with genuine Apple code-signing signatures, which helped obfuscate the malware from detection on machines and provide an added level of sophistication to the Trojan’s activity. This has even lead for the malware to be priced at around 100 bitcoins (163,000 USD) at black market price.
Users who have downloaded Handbrake between May2nd-6th should check their hashes and scan their systems AS WELL as change any online passwords they may have used during the infection period (after first removing the malware). Users should also check to see if any other malware has been installed on their mac systems after infection to ensure no other malware has been installed via backdoor access. Finally, those using a mac system containing handbrake in corporate or business settings should inform their IT departments of any recent ongoing activity and regarding the existence of the Proton infected Handbrake to ensure the security of the company’s data and integrity of the devices.
How to Check My Hash In Case of Infection?
To check one’s own Hash one must enter the following in the Terminal app (located in Utilities) and compare your hash to the one Handbrake provided (and as seen on this page). If there is a match Delete your copy of the .dmg file, scan with an updated anti-virus/anti-malware application and re-download a newer version of the application and ensure the hash does not match.
shasum /path/to/HandBrake(version you downloaded number).dmg
Where Path/to/ is equal to where its stored on your computer and the version you downloaded