Users who’ve recently downloaded the Handbrake video transcoder app for Apple Mac may have been infected with Trojan malware.
The creators of the platform have issued a statement warning that anyone who downloaded Handbrake on Mac between 2 May (14:30 UTC) and 6 May (11:00 UTC) from the downloadhandbrake.fr mirror could be at risk.
“Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period,” said the creators of HandBrake.
Those infected are at risk from cyberthieves stealing login credentials from OSX KeyChain, Apple’s password management system, or from passwords stored in any browsers.
Anyone who downloaded Handbrake from the ‘download.handbrake.fr’ mirror is at risk — and those who see a process called “Activity_agent” in the OSX Activity Monitor application are infected with the Trojan and should change all their passwords.
The specific malware variant which Handbrake users may have found themselves targeted by is a variant of the MacOS Proton RAT, regularly touted on Russian underground forums as a way to compromise Mac machines for the purposes of spying and theft.
Proton RAT is capable of activities including keylogging, screenshop capture, webcam operation, and more, providing a veritable treasure trove of information to spies and cybercriminals.
Somehow, those behind the compromise managed to replace the Handbrake Apple Disk Image file (HandBrake-1.07.dmg) with a malicious file which enables infection. Those who have been compromised by the malware should open up the “Terminal application” and run the following commands before removing any “HandBrake.app” installations on the system.
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Those behind the open source Handbrake don’t yet know how the secondary download mirror was compromised, but the affected server has been shut down while the investigation is underway. Meanwhile, Apple has updated OSX’s XProtect in order to enable detection of the RAT.
READ MORE ON CYBERCRIME