Compromised Download Server Infects Handbrake Users with Malware
People with an extensive DVD or Blu-Ray collection can enjoy a wide variety of media at home, but what happens when you want to take it with you? The simple solution is to “rip” your favorite DVDs to create digital media files you can play back on your MacBook, or perhaps store on your home media server. Many Mac users dabble with this. Most people use the popular software, Handbrake, to digitize their media. Unfortunately, hackers recently compromised one of Handbrake’s download servers. For four days, an unknown quantity of users downloaded and installed an unwelcome addition — a powerful malware package known as Proton. At the time, it went undetected.
Users of the infected installer saw a prompt that requested their Mac admin password. If supplied, the hackers controlling the malware received the password immediately. Once fully installed, it immediately searches out sensitive user information to send to its home server. This data includes keychains, the saved form data of your web browser (i.e. passwords, credit card numbers), and even the secure vaults for password managers. Since you already gave up your admin password, it’s safe to assume they can access all the other sensitive data stolen from your Mac. Proton often has many other features embedded as well, like keylogging. This version, though, seems focused on password theft.
Who was affected? Mac users who downloaded Handbrake version 1.0.7 between May 2 and May 6 may have received an infected download. Additionally, any users still running the outdated version 0.10.5 would also have contracted the malware via an insecure automatic update process. How can you tell if you’re infected?
There are two easy ways to discover if you have the malicious code. Check your Activity Monitor, and if you see a process called “activity agent,” you’ve been hit with the malware. A file called proton.zip in the VideoFrameworks folder within the Library is also a sign of an infection. If you spot these files, take corrective action immediately. MacScan 3 has been updated to detect and remove this version of Proton. Users can also remove the “activity agent” file from the Launch Agent and delete the similarly-named app file in /Library/RenderFiles.
Will we see more infections from Proton in the future? It’s possible. Unfortunately for end users, it would have been very difficult to avoid this attack in the first place. Much like with last year’s Transmission ransomware attack, users have little indication when a download server is compromised. It’s for that reason we always strongly recommend you install anti-malware software and scan regularly.