Software Download Mirror Distributes Mac Malware
8.5.2017 securityweek Apple
A download mirror server for the video converting tool HandBrake was recently compromised and configured to distribute a remote administration Trojan (RAT) for Mac computers.
The company has posted a security alert on its website, informing Mac users that from Tuesday to Saturday of last week they might have downloaded a Trojanized version of the application. According to HandBrake, while not all users might have been affected, all of them should verify the downloaded file before running it.
“Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it. Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you've downloaded HandBrake during this period,” the company says.
The company notes that its primary download mirror and website were unaffected. Only the download mirror at download.handbrake.fr has been compromised, but it has been already shut down for investigation. Further, HandBrake says it is rebuilding the download mirror server, a move that might affect performance and the availability of old versions of HandBrake.
Related: High-Profile Targets Attacked via Software Update Mechanism
While downloads via the application’s built-in updater with 1.0 and later are unaffected, those via the application’s built-in updater with 0.10.5 and earlier are not verified by a DSA Signature, and users should check their systems for malicious versions.
HandBrake also detailed a series of steps users should perform to clean up their systems in the event of infection. They also note that impacted users should also “change all the passwords that may reside in [their] OSX KeyChain or any browser password stores.”
To check whether they are affected or not, users should look for a process called “Activity_agent” in the OSX Activity Monitor application. If it is present, it means that they were infected with malware.
The actors who managed to compromise the download mirror replaced the legitimate HandBrake file on the server with one packing a new variant of OSX.Proton RAT that was detailed in March this year. The threat was discovered on a closed Russian cybercrime message board, where it was offered at 2 Bitcoins (around $2,500) for single installations.
At the time, the malware was being advertised as “a professional FUD surveillance and control solution” that included root-access privileges and features. The RAT was said to provide operators with full control over the infected machines and to allow them to monitor keystrokes, take screenshots, and even execute commands.
According to objective-see.com, the variant of Proton being distributed though the compromised HandBrake mirror is almost identical to the initial version, except for the screenshot taking capabilities, which are missing now.
The malware has a very low detection rate on VirusTotal, but Apple has already released an XProtect signature for it, which should help keep users protected.