The Supply chain of the HandBrake Mac software compromised to spread Proton malware

Maintainers of the HandBrake video transcoder are warning Mac users who recently downloaded the software that they may have been infected with malware.

Maintainers of the open-source HandBrake video transcoder are warning Mac users who recently downloaded the application that they may have been infected with malware.Mac users who downloaded and installed the program from May 2 to May 6 need to check their computers for malware.

The handlers of the project urge users to verify the SHA1 or SHA256 sum of the file before running it.

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

The attackers broke into a download mirror server hosted under download.handbrake.fr for HandBrake and compromised it to distribute a macOS version of the software packaged with a malware.The primary download server was not compromised by hackers, for this reason, users who downloaded HandBrake-1.0.7.dmg have a 50/50 chance of having installed a trojanized version of the applications.The users of HandBrake 1.0 and later who upgraded their version to version 1.0.7 using the built-in update feature shouldn’t be affected because the updater verifies the checksum of the package.Users of version 0.10.5 and earlier who used the built-in updater during those five days might be affected.

“Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it.” reads a security warning published on the HandBrake forum.

“Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period.”

The software contained a new strain of the Proton malware for MacOS that is a remote access tool (RAT) available for sale on some cybercrime forums.

The Proton RAT first appeared in the threat landscape last year, the variant recently advertised on hacking forums includes many features such as the ability to execute console commands, access the user’s webcam, log keystrokes, capture screenshots and open SSH/VNC remote connections. The malicious code is also able to inject malicious code in the user’s browser to display popups asking victims’ information such as credit card numbers, login credentials, and others.

In order to obtain admin privileges, the rogue HandBrake installer asked Mac users for their password under the guise of installing additional video codecs.

According to the security expert Patrick Wardle, the Proton variant used in this attack was not detected by antimalware engines on VirusTotal.

The advisory published on the HandBrake forum also provides manual removal instructions. Mac users who have found the malware on their Macs must change all the passwords stored in their macOS keychains or browsers.

Crooks have used similar tactics in the past to spread malware, the macOS version of the popular Transmission BitTorrent client was found distributing Mac malware two times.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – HandBrake, Proton RAT)

[adrotate banner=”5″]

[adrotate banner=”13″]