Mac app developers issue malware warning after server compromise

Those who downloaded HandBrake between certain dates have a '50/50 chance' of being infected with a Remote Access Trojan.

Users who've recently downloaded the Handbrake video transcoder app for Apple Mac may have been infected with Trojan malware.

The creators of the platform have issued a statement warning that anyone who downloaded Handbrake on Mac between 2 May (14:30 UTC) and 6 May (11:00 UTC) from the downloadhandbrake.fr mirror could be at risk.

LastPass hit by password stealing and code execution vulnerabilities

Google cyber-sleuth Tavis Ormandy has returned to examining LastPass, and a new lot of vulnerabilities have been discovered.

"Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you've downloaded HandBrake during this period," said the creators of HandBrake.

Those infected are at risk from cyberthieves stealing login credentials from OSX KeyChain, Apple's password management system, or from passwords stored in any browsers.

Anyone who downloaded Handbrake from the 'download.handbrake.fr' mirror is at risk -- and those who see a process called "Activity_agent" in the OSX Activity Monitor application are infected with the Trojan and should change all their passwords.

The specific malware variant which Handbrake users may have found themselves targeted by is a variant of the MacOS Proton RAT, regularly touted on Russian underground forums as a way to compromise Mac machines for the purposes of spying and theft.

Proton RAT is capable of activities including keylogging, screenshop capture, webcam operation, and more, providing a veritable treasure trove of information to spies and cybercriminals.

Somehow, those behind the compromise managed to replace the Handbrake Apple Disk Image file (HandBrake-1.07.dmg) with a malicious file which enables infection. Those who have been compromised by the malware should open up the "Terminal application" and run the following commands before removing any "HandBrake.app" installations on the system.

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Those behind the open source Handbrake don't yet know how the secondary download mirror was compromised, but the affected server has been shut down while the investigation is underway. Meanwhile, Apple has updated OSX's XProtect in order to enable detection of the RAT.

READ MORE ON CYBERCRIME

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All