HandBrake is an extremely popular piece of video transcoding software because it’s cross-platform, open source, and free. However, it was also recently compromised by malware. Users of the software were alerted recently that one of HandBrake’s download mirrors was infiltrated between May 2nd and 6th. Anyone who downloaded the macOS version of HandBrake during that time may have picked up a nasty Trojan.
The maintainers of HandBrake report that one of the two download mirrors it uses was affected, but the main Handbrake website and mirror was not. The affected domain (download.handbrake.fr) has been shut down pending an investigation. Anyone who downloaded the app during that time is advised to do a little detective work to find out if they were infected.
The legit installer (HandBrake-1.0.7.dmg) was apparently replaced with another file on May 2nd that contained an Apple Trojan called OSX.PROTON. The SHA1 checksum of that file does not match the publicly available number for HandBrake, so anyone who still has the file can check to see if it’s actually malware. Likewise, anyone who installed HandBrake during that time can check the macOS activity monitor for “activity_agent.” That’s the process spawned by OSX.PROTON, which allows it to spy on the system.
OSX.PROTON is a remote access Trojan sold frequently on underground Russian malware forums. It’s not cheap, either. The authors of OSX.PROTON reportedly demand as much as 100 Bitcoins (about $ 163,000) for the software. When installed on a computer, OSX.PROTON can monitor keystrokes, steal files, download new files from URLs, and take screenshots of the machine. It even has genuine Apple code-signing signatures, so no red flags go up during installation. It’s one of the worst-case scenarios when it comes to malware infection. Anyone who might be infected is advised to change their passwords immediately using a different device, then clear the infection from the computer.
HandBrake provides instructions on how to remove OSX.PROTON from an infected computer, but the alert was only posted on HandBrake’s forums. It’s likely many of those infected will never hear about the security breach. One bit of good news is that Apple has pushed an update to XProtect that blocks any future installations of OSX.PROTON.
The HandBrake developers are in the process of revamping its download server to ensure this doesn’t happen again. Downloads might be a little slower while that’s happening, and archived versions of HandBrake won’t be available.
Let’s block ads! (Why?)