Mac users who downloaded HandBrake v 1.0.7.dmg via the download mirror hosted at "download.handbrake.fr" from May 2-6 has a 50-50 chance of being infected with Proton malware, developers warned.
Mac users who downloaded HandBrake v 1.0.7.dmg via the download mirror hosted at "download.handbrake.fr" from May 2-6 has a 50-50 chance of being infected with Proton malware, developers warned.

The developers of open-source digital video file transcoder HandBrake have advised Mac-based users that they may be infected with a malicious backdoor after an attacker replaced a HandBrake installation package with a variant of the Proton remote access trojan malware.

In a security post published on its forum, HandBrake warned that anyone who downloaded HandBrake version 1.0.7.dmg via the download mirror hosted at "download.handbrake.fr" between May 2 (14:30 UTC) and May 6 (11 UTC) has a "50-50 chance" of being compromised by the RAT.

According to a blog post published on Monday by Malwarebytes, this new version of Proton is heavily focused on exfiltrating browser data, including form auto-fill data, keychains and 1Password vaults. The malware also attempts to phish users' admin passwords with a prompt during installation, even though the real application does not normally ask for such information. The malware then relays entered passwords in clear text to a command-and-control server, likely so that the hackers can decrypt the keychain file and possibly unlock other files as well.

Proton first came to light in February 2017 when web monitoring company Sixgill reported that its researchers had found the Mac malware on a Russian cybercrime forum. While that original version reportedly features a myriad of spying and phishing capabilities, this latest iteration appears to be more slimmed down. "I don't know that I would say that this is an evolution, since it has lost some functionality," said blog post author and Malwarebytes' director of Mac offerings Thomas Reed, in an email interview with SC Media. "I don't think this replaces the previous version of Proton, but [it] was written with some of the same code."

HandBrake developers said that Mac users are infected if they find a specific process called "Activity_agent" running in their OSX Activity Monitor application, or if they have installed software with the following checksums:

  • SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
  • SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

Asked why HandBrake was specifically victimized, Reed told SC Media that the hackers behind the attack may have "learned of a weakness in the HandBrake servers, or possibly had some inside information."

In his Malwarebytes blog post, Reed noted that the only other Mac app to be hacked in this same manner is Transmission, which, like HandBrake, was created by developer Eric Petit. "Though I don't know if it means anything at all, it's certainly a fair question to wonder who has access to both of these projects that could be abused in this manner," Reed wrote in the post. (Transmission was hacked to spread KeRanger ransomware and Keydnap last year.)

While HandBrake and Transmission share the same author, their development teams are independent entities and do not share virtual machines, HandBraker noted in an update to its forum post, adding that Petit is not currently on the HandBrake team.