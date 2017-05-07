If you recently downloaded the HandBrake app for Mac, then there’s a good chance your system is infected with a nasty Remote Access Trojan (RAT).

On Saturday, the HandBrake team posted a security alert after learning one of the mirror download servers was hacked. The attacker replaced the Mac version of the HandBrake client with a malicious version.

In case you don’t know, HandBrake is an open source video transcoder app which allows users to convert video to other formats.

The HandBrake team said an attacker compromised the download mirror server at download.handbrake.fr and replaced the HandBrake-1.0.7.dmg installer file with a version infected with a new variant of the Proton RAT.

Mac OS Proton RAT

The Mac malware was first spotted in February on a Russian cybercrime message board where the Trojan’s author claimed it was completely undetectable by Mac OS anti-virus solutions. Although the original post by security researchers at Sixgill has disappeared, the accompanying report (pdf) on the new Mac OS RAT said the real threat was that the malware “shipped with genuine Apple code-signing signatures.” The researchers suspected the RAT exploited an unpatched zero-day flaw.

According to the Sixgill report:

The malware includes root-access privileges and features allowing an attacker to obtain full control of the victim’s computer. Its capabilities include: running real-time console commands and file-manager, keylogging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver’s license and more. The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.

The following video shows the installation process for “Proton – complete macOS solution for remote control & surveillance:”

The malware author was originally asking an exorbitant amount of money for Proton. A signed version, with full source code, to remotely control an infinite number of Macs on an attacker’s server cost 666 BTC (which is currently equal to about $1,051,534). The standard edition of Proton was much cheaper, 1 BTC for an unsigned version to control one Mac; 2 BTC for a signed version of that. The top of the line standard edition would set cyber crooks back 66 BTC to remotely control an infinite number of Macs and 76 BTC for the version signed with “genuine Apple certifications.”

Fast forward to now and we see the Proton RAT (OSX.PROTON) being distributed through a compromised mirror server for a popular Mac app.

Check if Mac is infected with the Proton RAT and removal process

The HandBrake team warned that users who downloaded HandBrake for Mac between 10:30 a.m. EDT (14:30 UTC) on May 2 and 7:00 a.m. EDT (11:00 UTC) on May 6 have a “50/50 chance” of their Mac being infected.

Users were advised on how to see if their Mac was infected. It gives the checksum for the malware-tainted version, but also included instructions for less technical folks. The security warning stated, “If you see a process called ‘Activity_agent’ in the OSX Activity Monitor application. You are infected.”

The HandBrake team included removal instructions for Macs which have been compromised. Don’t stop after getting rid of the nasty RAT as your passwords may no longer provide any security. “Based on the information we have, you must also change all the passwords that may reside in your OSX KeyChain or any browser password stores.”

The affected server has been shut down for investigation; it wasn’t the primary download mirror or the main HandBrake site. Downloads via the built-in updater with 1.0 or later installed should also be safe as malware-tainted downloads reportedly would not make it past the DSA signature verification process.

Apparently unhappy with news coverage, the HandBrake team clarified that is independent of the Transmission Developers. The team noted, “The projects share history in the sense that the same author created these apps, but he is not part of the current HandBrake team of developers. We do not share our virtual machines with the Transmission project.”

Why would they need to add that? As reported by Bleeping Computer, the download mirror for the Transmission Mac client was hacked and replaced with KeRanger ransomware in March 2016 and hacked again a few months later when the download mirror was replaced with Keydnap infostealer.