Eltima Website Hacked to Spread Proton RAT With Popular Video Player App

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
The website of Eltima, a maker of macOS and Windows apps, has been compromised by an unknown actor to spread a trojanized version of Elmedia Player, a multimedia player for macOS.

At the time of writing, it is unclear when attackers hijacked the site and poisoned the Elmedia Player download links, but Eltima cleaned their website on October 19, 3:15 PM EDT after researchers from ESET spotted the malware and contacted the company.

Elmedia Player trojanized with Proton RAT
According to ESET, recent versions of the Elmedia Player were bundled with the Proton malware, a remote access trojan for macOS systems that's been sold on underground hacking forums since March this year.

The malware has been deployed in a similar attack before, in May, when another unknown actor compromised the website of the HandBrake macOS transcoder app and bundled Proton with the official app.


Elmedia Player is a very popular multimedia player for Mac, having recently celebrated reaching the one million users milestone.
Click to expand...

Proton RAT can collect a vast amount of information

Proton is also a very powerful malware. The RAT provides a backdoor for the attacker into compromised systems.

An attacker can use Proton to gather various information from infected hosts, such as OS system details, browser passwords, browser cookies, browsing history, data on cryptocurrency wallets, SSH private keys, macOS keychain data, VPN configs, GnuPG data, 1Password data, and more.

In addition, attackers can use Proton to download and execute new malware on infected hosts. A full review of Proton's full capabilities is available in write-ups by Patrick Wardle, Cybereason, and Malwarebytes.

Mac users who recently installed the Elmedia Player can verify if they're infected with the Proton RAT by checking for the existence of the following folders on their machine:

/tmp/Updater.app/
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
/Library/.rand/
/Library/.rand/updateragent.app/
Click to expand...
 
  • Like
Reactions: Venustus, XhenEd, harlan4096 and 1 other person
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
    • Wow
Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT
Replies
4
Views
1,510
News Archive
Xeno1234
Xeno1234
MuzzMelbourne
    • Like
    • +Reputation
New AhRat Android malware hidden in app with 50,000 installs
Replies
0
Views
1,114
News Archive
MuzzMelbourne
MuzzMelbourne
Sandbox Breaker
    • Like
    • Applause
AWS SSM Agent can be used as a RAT
Replies
0
Views
1,427
News Archive
Sandbox Breaker
Sandbox Breaker

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top