The handlers of the open supply HandBrake video transcoder are warning anyone who recently downloaded the Mac model of the instrument that they’re seemingly contaminated with malware.
HandBrake warned users on Saturday of a compromise of one of its replicate obtain servers, and said any person who grabbed the tool between may 2 and could 6 can have also downloaded a variant of the OSX.PROTON Trojan onto their Mac gadget.
“somebody who has put in HandBrake for Mac desires to substantiate their gadget is just not infected with a Trojan,” said an advisory. “you’ve gotten 50/50 chance for those who’ve downloaded HandBrake during this era.”
Apple, however, has in view that pushed out a XProtect signature combating any new infections. HandBrake, meanwhile, advises its customers to additionally trade all passwords of their OSX KeyChain or passwords stored of their browsers.
HandBrake is free instrument that’s used to transform video from a variety of codecs to a supported codec. There are home windows, Mac and Linux variations. The warning was once for the Mac version. The handlers advise verifying the SHA1 or SHA256 sum of the file before working it.
The bad SHA checksums are:
“if you see a process referred to as ‘activity_agent’ within the OSX job display software, you might be infected,” the advisory said.
Proton is a faraway get right of entry to Trojan, or RAT, offered in Russian underground boards. Researchers at Sixgill printed an prognosis of the Mac malware, which is used to undercover agent on the sufferer’s actions; it could monitor keystrokes, add files to faraway machines, download recordsdata from the online, steal screenshots and linked in an instant via SSH or a far flung admin tool reminiscent of VNC.
“The malware is shipped with authentic Apple code-signing signatures,” the Sixgill report stated. “this means the writer of Proton RAT in some way obtained throughout the rigorous filtration process Apple places on MAC OS builders of 0.33-birthday party instrument, and acquired authentic certifications for his software.”
the price, in keeping with the researchers, is steep at around a hundred Bitcoin ($ 163,600 nowadays).
Patrick Wardle, a Mac safety professional, said on the objective-See weblog on Saturday that the Proton variant has zero coverage on VirusTotal via antimalware engines. Wardle mentioned that when the infected HandBrake app runs, it asks via a phony authentication popup for the user’s credentials.
“If the user is tricked into offering a person title and password, the malware will set up itself,” Wardle said, adding that the credentials permit the malware to increase privileges.
via compromising the HandBrake mirror, the attackers were in a position to apply the street map equipped by the other Mac malware equivalent to KeRanger, which infected the reputable BitTorrent client Transmission, which was developed by the identical creator. The HandBrake staff said it does no longer share infrastructure with Transmission.
“The HandBrake crew is independent of the Transmission builders,” HandBrake mentioned in its advisory. “The projects share historical past in the feel that the identical creator created these apps however he’s not part of the present HandBrake crew of builders. we do not share our digital machines with the Transmission challenge.”
HandBrake additionally equipped directions for taking out the Trojan from the Terminal application.
“The download reflect Server goes to be utterly rebuilt from scratch so downloads is also a little bit slower than ordinary whereas the main picks up the burden,” HandBrake stated. “throughout this time, previous variations of HandBrake is probably not to be had the first stop for security information