It appears that the malware installs this. In another install, the launch agent contained the following non-functional plist data: On the first install, it also dropped a non-functional launch agent named fr.handbrake.activity_ist-e with some of the contents missing. However, it seems that this malware may be a bit buggy. The launch agent runs the activity_agent app at login and keeps it running in the event something terminates it.
#Handbrake install#
If the password is given, the malicious app will install the malware on the system in the following locations: ~/Library/LaunchAgents/fr.handbrake.activity_ist Hopefully, the same will happen for HandBrake, but at the time of this writing that has not been done yet.
#Handbrake update#
When the same thing happened to the Transmission app, the Transmission Project quickly put out an update that would replace the infected app with a clean one, as well as cleaning up any traces of the infection on the system. Unfortunately, checking for updates in the malicious copy does not result in any kind of a warning. Still, I wouldn’t trust that copy of the app at all, even if it doesn’t appear to be dropping the payload under those conditions.
Further, in my testing, there were no additional prompts in opening the app after the first. If you are suspicious and click the Cancel button, it seems that the malware is not installed. However, for a new user, or someone installing an update who isn’t yet familiar with the behavior of that update, this may not raise any red flags. This is not normal for HandBrake, which may tip off a veteran user of the software.
The malicious copy of HandBrake, when run, will immediately ask for an admin password.
#Handbrake code#
Unfortunately, HandBrake is not code signed, so there’s no real way to verify with 100% certainty that the copy you have has not been tampered with.
#Handbrake software#
However, there’s a big problem with this: If the website has been hacked to replace the legit copy of the software with a bad one, it’s reasonable to assume that the checksums there could be replaced with bad ones as well. If you download a new copy of HandBrake, you can check it against the checksums listed on the HandBrake site to verify that it is valid. I say “in theory” because we don’t know yet how the HandBrake site was hacked and what mitigations have been put in place to prevent future hacks. We detect this malware as OSX.Proton.Īt this point, you can – in theory – safely download a new copy of HandBrake. dmg file in the trash, delete your copy of HandBrake, and scan your Mac with Malwarebytes for Mac. Note that you can drag a file onto the Terminal window to insert its path into the command automatically.)Ĭompare the value returned by this command to the SHA1 hash. (Of course, be sure to insert the proper path to the. To do this, enter the following command in the Terminal app (found in the Utilities folder in the Applications folder): The security warning provides SHA1 and SHA256 hashes for the malicious HandBrake-1.0.7.dmg file, recommending that you check this against the hash of your download before installing. Both the HandBrake website and the copy of HandBrake available via Homebrew (a command-line software installation system) were affected. This issue was discovered and the malicious app was removed on May 6, also a security warning was posted on the HandBrake website. The real HandBrake 1.0.7 app was replaced with a malicious copy on May 2. Now, the same thing has happened to the popular DVD-ripping HandBrake app, which is installing a new variant of the Proton malware. Last year, the Transmission torrent app was hacked not just once, but twice, to install the KeRanger ransomware and, later, the Keydnap backdoor.
0 kommentar(er)
