“The reason why Apple chose such a specific signature is that they figured any new attack would use a new distribution vector (thus would be totally different) – so they figured they just use a specific signature for this attack/attack vector. He demonstrated this by changing the final byte of the binary – a move that changed it SHA-1 hash – and downloading it and installing it without any problem on a clean Mac. “This means if the malware authors used any other infection vector, or even just recompiled the binary, this signature would no longer flag the malware.” The signature is just a SHA-1 hash that matches only that specific Trojanized Handbrake binary, he noted. And, by now, it has added the signature for this particular Proton variant ().īut, according to Patrick Wardle, security researcher and developer of Mac security tools, that protection can be easily thwarted. What is Apple doing about this?Īpple has added a signature for the initial version of Proton to XProtect, the built-in macOS anti-malware scanner. “If ~/Library/VideoFrameworks/ contains proton.zip, remove the folder, then remove any ‘HandBrake.app’ installs you may have,” they added.įor finding and removing other malware, users are advised to use a reputable AV solution for Mac to scan their system. rm -rf ~/Library/RenderFiles/activity_agent.app.launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_ist.HandBrake developers advised infected users to change all the passwords in their macOS Keychain and any of the passwords they saved in their browsers.īut before doing that, they should make sure they have booted Proton and other malware it may have installed from their machine.įor removing Proton, the developers advise opening up Terminal.app and running the following commands: It is also capable of monitoring keystrokes, uploading files to and downloading files from a remote machine, webcam surveillance, and more.Īccording to the ad, it can also present a custom native window requesting users to enter information such as a credit card number, and can access the victim’s iCloud account – even if it’s protected with 2-factor authentication. The Proton RAT allows the attacker to connect remotely to the infected machine. Proton is a Remote Access Trojan (RAT) for macOS, and was spotted being sold on underground Russian cybercrime forums earlier this year.įor 40 Bitcoins, the buyers would get unlimited installations, and the malware was signed with a legitimate Apple developer signature, so it doesn’t get blocked by Apple’s Gatekeeper technology. (You can find the Activity Monitor in /Applications/Utilities). “If you see a process called ‘Activity_agent’ in the OSX Activity Monitor application, you are infected,” the developers noted. The primary download mirror and website have not been compromised. Only users who have downloaded the HandBrake-1.0.7.dmg file from the download mirror at are in danger. “Anyone who has downloaded HandBrake on Mac between and needs to verify the SHA1 / 256 sum of the file before running it,” the developers warned on Saturday, and prominently displayed a link to the alert on the project’s main page. dmg file switched with a Trojanized version containing the Proton RAT. A mirror download server of HandBrake, a popular open source video conversion app for Mac, has been compromised, and the legitimate app.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |