Handbrake, the popular multi-platform Mac video transcoder, has been infected with a Remote Access Trojan (RAT) that steals login credentials from OSX KeyChain, Apple’s password management system, and browser-stored passwords.

The Trojan is a new variant of the Russian-attributed OSX.Proton. Its capabilities include keylogging, screenshot captures, and webcam control. Apart from stealing data from infected devices, it can also allow attackers to connect remotely via VNC or SSH.

For those who downloaded the app between 2nd May 2017 and 6th May 2017, they should verify that their devices are not infected with Malware (Now would be a good time to get anti-malware software, lol).

The app download file – HandBrake-1.0.7.dmg – hosted on the secondary download mirror (download.handbrake.fr) was replaced by a malicious version that doesn’t match the  SHA-1 / SHA-256 hashes on the official Handbrake website or GitHub Wiki. The security warning from Handbrake urges customers to verify the file hashes before running it.

The download mirror has been shut down for further investigation. However, the primary download mirror and the website were unaffected.

Handbrake_Website

If you suspect you have been infected, the first thing to look for is an “activity_agent” process running in the OSX Activity Monitor application; a sure indication of infection. If your applications built-in updater is earlier than version 1.0, you should verify that your system has not been infected as the older releases do not use DSA Signature verification. How, you ask?…

First, check for SHA-1 / SHA-256 hashes for the download file as follows:

  1. Open a terminal
  2. Change directory to where you downloaded Handbrake
  3. Run the following command to verify both SHA-1 and SHA-256 hashes:
shasum -a 1 HandBrake-* && shasum -a 256 HandBrake-*

Note: The following checksums are verified to be infected:

SHA-1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274

SHA-256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

Secondly, run the following command to verify the GPG Public Key:

gpg --verify filename.xyx.sig

where filename is the sig file for the downloaded HandBrake binary. The ID should be “HandBrake Team“.

GPG signatures are available here.

Removal procedures are as follows (run on Terminal):

launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app

If ~/Library/VideoFrameworks/ contains proton.zip, remove the folder.

Remove any “Handbrake.app” installs you may have.

Be sure to change all the passwords that may be in your OSX KeyChain or any browser-stored passwords to be on the safe side.

There is still no word on how the attackers were able to compromise the secondary download mirror as yet. However, Apple has updated XProtect in order to enable detection of the Trojan.

Interestingly enough, the main author of Handbrake is also the author of the Transmission BitTorrent client for Mac. The download mirror for this app was hacked in March 2016 as well. This time, the client was replaced with a version that contained the KeRanger ransomware. To make things better, the same download mirror was hacked again, this time with the Keydnap infostealer.

The HandBrake Team is independent of the Transmission Developers,” HandBrake said in its advisory. “The projects share history in the sense that the same author created these apps but he is not part of the current HandBrake team of developers. We do not share our virtual machines with the Transmission project.

In the meantime, take a look at the VirusTotal analysis and a comprehensive malware analysis of the new OSX/Proton variant here!

References:

Threat Post  |  Bleeping Computer  |  The Register  |  ZDNet  |  Handbrake Forum

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s