Mac OSX Trojan malware spread via compromised software downloads

Supply-chain attack saw data-stealing Proton RAT loaded into legitimate downloads of Elmedia Player and Folx applications by Eltima Software.
Written by Danny Palmer, Senior Writer

Elmedia Player downloads were compromised with Trojan malware.

Image: Getty

Downloads of a popular Mac OSX media player and an accompanying download manager were infected with trojan malware after the developer's servers were hacked.

Elmedia Player by software developer Eltima boasts over one million users, some of whom have may have also unwittingly installed Proton, a Remote Access Trojan which specifically targets Macs for the purposes of spying and theft. Attackers also managed to compromise a second Eltima product - Folx - with the same malware.

The Proton backdoor provides attackers with an almost full view of the compromised system, allowing the theft of browser information, keylogs, usernames and passwords, cryprocurrency wallets, macOS keychain data and more.

In an email to ZDNet, an Eltima spokesperson said that the malware was distributed with downloads as a result of their servers being "hacked" after attackers "used a security breach in the tiny_mce JavaScript library on our server"

The compromise came to light on October 19, when cyber security researchers at ESET noticed the Elmedia Player was distributing Proton trojan malware. Users are warned if they downloaded the software from Eltima on that day before 3:15pm EDT, their system has may have been compromised by the malware.

If any of the following files or directories are on the system, it means the trojanised version of Elmedia Player is installed on the system.

  • /tmp/Updater.app/
  • /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
  • /Library/.rand/
  • /Library/.rand/updateragent.app/

Somehow, the attackers managed to build a signed wrapper around the legitimate media player which resulted in Proton being bundled along with it. Indeed, researchers say they observed the signing of the wrappers, all of which occurred with the same Apple Developer ID.

The ID has since been revoked by Apple and Eltima and ESET are working with Apple to find out how the malicious action was able to be taken in the first place. An Eltima spokesperson told ZDNet that while the malicious command and control server was registered on October 15, no malware was distributed until October 19.

For those unfortunate to fall victim to this attack - which only involved new downloads of Elmedia Player, automatic updates weren't compromised - the only way to get rid of the malware is to undergo a full OS re-installation.

Victims are also warned that they should take "appropriate measures" to ensure that their data can't be exploited by attackers.

Users are now able to download a clean version of Elmedia Player from the Eltima website, which ESET says is now free of compromise.

In response to the incident, Eltima says it has taken action to protect against future attacks and improve server security.
An Apple spokesperson told ZDNet the company "at this stage we have nothing to add".

It isn't the first time the Proton has been distributed via the use of a supply-chain attack. In May, users who had recently downloaded the Handbrake video transcoder for Apple Mac were warned how there was a 50/50 chance of having downloaded the application from a compromised mirror serving up the OSX Trojan.


Editorial standards