Trojanized Elmedia Player spread OSX/Proton malware on Elmedia site
Trojanized Elmedia Player spread OSX/Proton malware on Elmedia site

A trojanized version of Elmita's Elmedia Player software was seen being distributed via the company's own official site in the late hours of Oct 20, 2017.

The compromised app was infecting users with the OSX/Proton malware a backdoor with that gains persistence within a system and can steal operating system details, browser information, cryptocurrency wallets, SSH private data, macOS keychain data, Tunnelblick VPN configuration, GnuPG data and 1Password, according to an Oct. 20 ESET blog post.

“In the current case of Eltima trojanized software, the attacker built a signed wrapper around the legitimate Elmedia Player and Proton,” researchers said in the post. “In fact, we observed what seems to be real-time repackaging and signing of the wrappers, all with the same valid Apple Developer ID.”

Researchers recommend anyone who recently downloaded the Elmedia Player software verify if their system is compromised by testing the presence of any of the following file or directory:

  • /tmp/Updater.app/
  • /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
  • /Library/.rand/
  • /Library/.rand/updateragent.app/

Researchers said it appears only the version downloaded from the website contains the trojanized application and that built-in automatic update mechanism seems unaffected. Eltima was promptly notified and the malicious trojan has since been removed from its site.  

Eltima is just one of a growing list of recent website compromises and attacks leveraging third-party website code (excluding advertising code) are more common than people think and tends to peak during the latter half of the calendar year, said. Media Trust Chief Executive Officer Chris Olson.

“The ease of purchasing exploit kits on the dark web paired with general website security deficiency creates the perfect storm for successful web-based malware attacks,” Olson said. “Frankly, these headline-grabbing scenarios will continue until enterprises understand that the highly-dynamic digital environment requires a continuous security approach." 

He said these third-party partners contribute website code that operate outside the purview of today's IT and security infrastructure and present multiple opportunities for bad actors to inject malicious code. Olson said between 50-78 percent of all code executing on an average website is provided by third parties unknown to the IT/information security teams.

“From our own experience, we know that this percentage increases manifold when it comes to ecommerce or consumer-focused websites, resulting in unchecked digital shadow IT,” he said.

To prevent similar attacks, he said site owners should take the time to get to know their sites and those of their partners that contribute code and functionality to site operations and that Identification and continuous monitoring of these vendors is critical to developing a comprehensive security strategy for digital assets.