Recent Downloads from Eltima Software Were Infected with Malware
If you recently downloaded Elmedia Player or Folx—two Mac OS X programs from German-based developer Eltima Software—then your Mac may be infected with malware. According to a report from ZDNet, hackers recently managed to breach the Eltima Software servers. The hackers bundled Elmedia Player and Folx with a Mac OS X Trojan called Proton.
Elmedia Player is a popular media player app that Eltima says is capable of recognizing “any file format you probably may think of.” The app also allows for HD video playback with no slowdowns and automatically fixes issues with video and audio syncing. Folx is a download manager that users can implement for torrent downloads. Both programs were compromised and used to distribute the Proton malware.
Proton is a Remote Access Trojan that targets Mac machines. Once installed on a Mac, Proton lets attackers spy on the system and steal sensitive information. Among other things, the Trojan can steal a user’s Keychain data, browser information, usernames, passwords, and keylogs. This is the same Trojan which was used in the Handbrake server hack a few months ago.
ZDNet net says that the hackers built a “wrapper” around the media player and downloader apps. This wrapper was signed with an authenticated Apple Developer ID. As a result, even though the wrapper was bundling malicious software with Elima’s genuine programs, Apple’s systems didn’t flag it. Apple has now revoked the Developer ID, and Elmedia has said they have taken steps to prevent future attacks against their servers.
Eltima says that all the infected downloads happened on the same day: October 19, 2017. Users who downloaded the Elmedia Player or Folx before 3:15 p.m. Eastern on that day are likely infected. Users who downloaded the software after 3:15 p.m. EDT, meanwhile, should be in the clear. Proton was only bundled with new downloads of the software, so any users who updated Elmedia or Folx on October 19 should also be safe.
Users can check and see if they were infected by looking for the following files on their systems:
- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/
At this time, infected users will need to conduct full OS X or macOS re-installations to resolve the issue. No known antivirus program can remove the Trojan.
Also, users infected with Proton should take precautionary steps to protect themselves from further ramification. Changing all passwords—including Apple ID and iCloud passwords, Keychain passwords, banking passwords, and email passwords—would be a smart first step, post-removal.
Sources:
https://mac.eltima.com/media-player.html
https://www.macrumors.com/2017/10/20/eltima-software-infected-with-malware/
