The HandBrake team issued a security alert on Saturday, warning Mac users that one of its mirror servers to download the software has been compromised by hackers.
In case you aren't aware, HandBrake is an open source video transcoder app that allows Mac users to convert multimedia files from one format to another.
According to the HandBrake team, an unknown hacker or group of hackers compromised the download mirror server (download.handbrake.fr) and then replaced the Mac version of the HandBrake client (HandBrake-1.0.7.dmg) with a malicious version infected with a new variant of Proton.
Originally discovered in February on a Russian underground hacking forum, Proton is a Mac-based remote access trojan that gives attackers root access privileges to the infected system.
The affected server has been shut down for investigation, but the HandBrake team is warning that anyone who has downloaded HandBrake for Mac from the server between May 2 and May 6, 2017, has a "50/50 chance" of getting their Mac infected by Proton.
How to Check if You're Infected?
The HandBrake team has provided instructions for less technical folks, who can check if they've been infected.
Head on to the OSX Activity Monitor application, and if you see a process called "Activity_agent" there, you are infected with the trojan.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
You can also check for hashes to verify if the software you have downloaded is corrupted or malicious. The infected app is signed with the following hashes:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274If you have installed a HandBrake.dmg with the above checksums, you are infected with the trojan.
How to Remove the Proton RAT?
The HandBrake developers have also included removal instructions for Mac users who have been compromised.
Follow the following instructions to remove the Proton Rat from your Mac:
Step 1: Open up the "Terminal" application and run the following command:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app
Step 2: If ~/Library/VideoFrameworks/ includes proton.zip, remove the folder.
Step 3: once done, you should remove any installations of Handbrake.app you may find.
However, instead of stopping here; head on to your settings and change all the passwords that are stored in your OS X KeyChain or any browser password stores, as an extra security measure.
Meanwhile, Mac users who have updated to HandBrake version 1.0 or later are not affected by the issue, as it uses DSA signatures to verify the downloaded files, so malware-tainted version reportedly would not pass the DSA verification process.