Home / Malware / Mac app developers issue malware warning after server compromise – ZDNet

Mac app developers issue malware warning after server compromise – ZDNet

password-security620x465.jpg

Users who downloaded Handbrake could be at risk from password-stealing malware


Image: iStock

Users who’ve recently downloaded the Handbrake video transcoder app for Apple Mac may have been infected with Trojan malware.

The creators of the platform have issued a statement warning that anyone who downloaded Handbrake on Mac between 2 May (14:30 UTC) and 6 May (11:00 UTC) from the downloadhandbrake.fr mirror could be at risk.

“Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period,” said the creators of HandBrake.

Those infected are at risk from cyberthieves stealing login credentials from OSX KeyChain, Apple’s password management system, or from passwords stored in any browsers.

Anyone who downloaded Handbrake from the ‘download.handbrake.fr’ mirror is at risk — and those who see a process called “Activity_agent” in the OSX Activity Monitor application are infected with the Trojan and should change all their passwords.

The specific malware variant which Handbrake users may have found themselves targeted by is a variant of the MacOS Proton RAT, regularly touted on Russian underground forums as a way to compromise Mac machines for the purposes of spying and theft.

Proton RAT is capable of activities including keylogging, screenshop capture, webcam operation, and more, providing a veritable treasure trove of information to spies and cybercriminals.

Somehow, those behind the compromise managed to replace the Handbrake Apple Disk Image file (HandBrake-1.07.dmg) with a malicious file which enables infection. Those who have been compromised by the malware should open up the “Terminal application” and run the following commands before removing any “HandBrake.app” installations on the system.

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Those behind the open source Handbrake don’t yet know how the secondary download mirror was compromised, but the affected server has been shut down while the investigation is underway. Meanwhile, Apple has updated OSX’s XProtect in order to enable detection of the RAT.

READ MORE ON CYBERCRIME


Source link

About admin

Check Also

Variant of Marcher Android malware poses as Flash Player update – SC Magazine

A new variant of the banking malware Marcher disguises itself as an Adobe Flash Player …

Leave a Reply

Your email address will not be published. Required fields are marked *