Malware News Website of HandBrake App Hacked to Spread Proton RAT for Mac Users

Solarquest

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
The website of the HandBrake app has been compromised, and one of its download mirrors modified to host a version of the Proton RAT embedded in the app's Mac client.

HandBrake is a multi-platform transcoder, an app that helps users convert multimedia files from one format to another.

According to a security alert posted yesterday on the app's forum, an unknown attacker had compromised on of the website's download mirrors, located at download.handbrake.fr.

The miscreant(s) replaced the Mac version of the HandBrake client with his own version, which also contained Proton, a Remote Access Trojan for macOS.

The Proton RAT was first spotted in March when a crook put it up for sale on an underground hacking forum. The RAT can be used to steal data from infected devices, but also to allow attackers to connect via VNC or SSH to infected hosts.

Download mirror compromised for four days
According to the HandBrake team, their servers were compromised between May 2, 2017, 14:30 UTC and May 6, 2017, 1:00 UTC. Users who downloaded HandBrake for Mac 1.0.7 are most likely compromised.

"If you see a process called 'Activity_agent' in the OSX Activity Monitor application. You are infected," HandBrake developers say.

The SHA256 of the infected HandBrake file is 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793. A VirusTotal scan of this file doesn't list any infection, but this was one of Proton's advertised features, as being "undetectable."

.....
 
  • Like
Reactions: orphyone, shmu26, Parsh and 3 others
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
shmu26 said:
No detections on VT. Pretty good!
Click to expand...
Yes, I'd like to know the programming language of this sample, if it was written in Objective C, I think some of the other AVs would have detected the malware, at least according to the heuristic.
 
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Winter Soldier said:
Yes, I'd like to know the programming language of this sample, if it was written in Objective C, I think some of the other AVs would have detected the malware, at least according to the heuristic.
Click to expand...
So the thing is they wrote it specifically for Mac, and Mac is less developed in security software. Maybe that's why it went undetected?
 
  • Like
Reactions: frogboy and Winter Soldier
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
shmu26 said:
So the thing is they wrote it specifically for Mac, and Mac is less developed in security software. Maybe that's why it went undetected?
Click to expand...
No idea but I do not know the programming language; in the case of OC, it probably would have been detected on VT also by the antivirus that work on Windows systems because of the affinity with C/C++ (heuristic level).
 
  • Like
Reactions: frogboy and shmu26
orphyone

orphyone

Level 1
Verified
May 11, 2017
25
Solarquest said:
The website of the HandBrake app has been compromised, and one of its download mirrors modified to host a version of the Proton RAT embedded in the app's Mac client.

HandBrake is a multi-platform transcoder, an app that helps users convert multimedia files from one format to another.

According to a security alert posted yesterday on the app's forum, an unknown attacker had compromised on of the website's download mirrors, located at download.handbrake.fr.

The miscreant(s) replaced the Mac version of the HandBrake client with his own version, which also contained Proton, a Remote Access Trojan for macOS.

The Proton RAT was first spotted in March when a crook put it up for sale on an underground hacking forum. The RAT can be used to steal data from infected devices, but also to allow attackers to connect via VNC or SSH to infected hosts.

Download mirror compromised for four days
According to the HandBrake team, their servers were compromised between May 2, 2017, 14:30 UTC and May 6, 2017, 1:00 UTC. Users who downloaded HandBrake for Mac 1.0.7 are most likely compromised.

"If you see a process called 'Activity_agent' in the OSX Activity Monitor application. You are infected," HandBrake developers say.

The SHA256 of the infected HandBrake file is 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793. A VirusTotal scan of this file doesn't list any infection, but this was one of Proton's advertised features, as being "undetectable."

.....
Click to expand...

Just goes to show, check yo hashes! :)
 
  • Like
Reactions: frogboy
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • Love
Technology Proton acquires Standard Notes to expand its service ecosystem
Replies
0
Views
646
Technology News
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
    • Wow
Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT
Replies
4
Views
1,507
News Archive
Xeno1234
Xeno1234
H
    • Like
    • +Reputation
New Update Proton Drive app for Windows and Mac
Replies
5
Views
1,401
Cloud storage
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top