SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Compromised Download Server Infects Handbrake Users with Malware

Posted on May 30, 2017

People with an extensive DVD or Blu-Ray collection can enjoy a wide variety of media at home, but what happens when you want to take it with you? The simple solution is to “rip” your favorite DVDs to create digital media files you can play back on your MacBook, or perhaps store on your home media server. Many Mac users dabble with this. Most people use the popular software, Handbrake, to digitize their media. Unfortunately, hackers recently compromised one of Handbrake’s download servers. For four days, an unknown quantity of users downloaded and installed an unwelcome addition — a powerful malware package known as Proton. At the time, it went undetected.

Users of the infected installer saw a prompt that requested their Mac admin password. If supplied, the hackers controlling the malware received the password immediately. Once fully installed, it immediately searches out sensitive user information to send to its home server. This data includes keychains, the saved form data of your web browser (i.e. passwords, credit card numbers), and even the secure vaults for password managers. Since you already gave up your admin password, it’s safe to assume they can access all the other sensitive data stolen from your Mac. Proton often has many other features embedded as well, like keylogging. This version, though, seems focused on password theft.

Who was affected? Mac users who downloaded Handbrake version 1.0.7 between May 2 and May 6 may have received an infected download. Additionally, any users still running the outdated version 0.10.5 would also have contracted the malware via an insecure automatic update process. How can you tell if you’re infected?

There are two easy ways to discover if you have the malicious code. Check your Activity Monitor, and if you see a process called “activity agent,” you’ve been hit with the malware. A file called proton.zip in the VideoFrameworks folder within the Library is also a sign of an infection. If you spot these files, take corrective action immediately. MacScan 3 has been updated to detect and remove this version of Proton. Users can also remove the “activity agent” file from the Launch Agent and delete the similarly-named app file in /Library/RenderFiles.

Will we see more infections from Proton in the future? It’s possible. Unfortunately for end users, it would have been very difficult to avoid this attack in the first place. Much like with last year’s Transmission ransomware attack, users have little indication when a download server is compromised. It’s for that reason we always strongly recommend you install anti-malware software and scan regularly.

Join our mailing list for the latest security news and deals