The website of the HandBrake app has been compromised, and one of its download mirrors modified to host a version of the Proton RAT embedded in the app’s Mac client.
HandBrake is a multi-platform transcoder, an app that helps users convert multimedia files from one format to another.
According to a security alert posted yesterday on the app’s forum, an unknown attacker had compromised on of the website’s download mirrors, located at download.handbrake.fr.
The miscreant(s) replaced the Mac version of the HandBrake client with his own version, which also contained Proton, a Remote Access Trojan for macOS.
The Proton RAT was first spotted in March when a crook put it up for sale on an underground hacking forum. The RAT can be used to steal data from infected devices, but also to allow attackers to connect via VNC or SSH to infected hosts.
Download mirror compromised for four days
According to the HandBrake team, their servers were compromised between May 2, 2017, 14:30 UTC and May 6, 2017, 1:00 UTC. Users who downloaded HandBrake for Mac 1.0.7 are most likely compromised.
“If you see a process called ‘Activity_agent’ in the OSX Activity Monitor application. You are infected,” HandBrake developers say.
The SHA256 of the infected HandBrake file is 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793. A VirusTotal scan of this file doesn’t list any infection, but this was one of Proton’s advertised features, as being “undetectable.”
Users who updated to HandBrake 1.0.7 are safe, as the updater uses DSA signatures to verify the downloaded files. The DSA signature check was introduced in HandBrake 0.10.6, so users who updated from an earlier version should check their systems if they’ve been compromised.
The HandBrake team provides the following removal instructions:
Step 1: Open the “Terminal” application and run the following command:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Step 2: Run the following command:
rm -rf ~/Library/RenderFiles/activity_agent.app
Step 3: If ~/Library/VideoFrameworks/ contains proton.zip, remove the folder.
Step 4: Remove any “HandBrake.app” installs you may have.
“Based on the information we have, you must also change all the passwords that may reside in your OSX KeyChain or any browser password stores,” the app developers also added.
The HandBrake team has taken the affected download mirror server offline for an investigation. During this time, the team said HandBrake app downloads would run slower.
Happened before. To the same team.
The main author of the HandBrake app is also the author of the Transmission BitTorrent client for Mac. In March 2016, an unknown attacker had compromised the download mirror for the Transmission Mac client and replaced the original with a version that contained the KeRanger ransomware.
A few months later, the same download mirror was compromised again, this time with the Keydnap infostealer.