Proton malware spreading through supply-chain attack, victims should wipe their Macs

Pierluigi Paganini October 21, 2017

The dreaded Proton malware was spreading through a new supply-chain attack that involved the Elmedia apps, victims should wipe their Macs

Bad news for Mac users, a new malware is threatening them of a complete system wipe and reinstall.

Crooks are distributing the malware in legitimate applications, the popular Elmedia Player and download manager Folx developed by the Elmedia Player who confirmed the threat. The latest versions of both apps came with the OSX.Proton malware.

The Proton malware is a remote access tool (RAT) available for sale on some cybercrime forums, it first appeared in the threat landscape last year. The malicious code includes many features such as the ability to execute console commands, access the user’s webcam, log keystrokes, capture screenshots and open SSH/VNC remote connections. The malicious code is also able to inject malicious code in the user’s browser to display popups asking victims’ information such as credit card numbers, login credentials, and others.

The Proton malware can hack into a victim’s iCloud account, even if two-factor authentication is used, and in March it was offered for sale at $50,000.

Experts at security firm ESET discovered that the Proton malware is spreading through supply chain attacks, hackers injected the malicious code into downloads of the applications.

“During the last hours, ESET researchers noticed that Eltima, the makers of the Elmedia Player software, have been distributing a version of their application trojanized with the OSX/Proton malware on their official website. ESET contacted Eltima as soon as the situation was confirmed. Eltima was very responsive and maintained an excellent communication with us throughout the incident.” reported ESET.

ESET promptly alerted Elmedia, hackers compromised the developer’s servers and implanted the Proton malware into the download files.

Below the timeline of the attack:

  • 2017-10-19 : Trojanized package confirmed
  • 2017-10-19 10:35am EDT: Eltima informed via email
  • 2017-10-19 2:25pm EDT: Eltima acknowledged the issue and initiated remediation efforts
  • 2017-10-19 3:10pm EDT: Eltima confirms their infrastructure is cleaned up and serving the legitimate applications again
  • 2017-10-19 10:12am EDT: Eltima publishes an announcement about the event
  • 2017-10-20 12:15pm EDT: Added references to Folx that was also distributed with the Proton malware

If you want to check your installation do a scan for the following file and directories:


“The presence of any of the files above is an indication that your system may have been infected by the trojanized Elmedia Player or Folx application which means your OSX/Proton is most likely running. If you downloaded Elmedia Player or Folx on the 19th of October 2017, your system is likely affected.” reads the security advisory published by Eltima.

The Proton malware has already infected a computer if any of those files and directories exist. Even if the malware is recognized by antivirus software, it’s difficult to remove.

“If you have downloaded that software on October 19th before 3:15pm EDT and run it, you are likely compromised.” states ESET.

“As with any compromission with a administrator account, a full OS reinstall is the only sure way to get rid of the malware. Victims should also assume at least all the secrets outlined in the previous section are compromised and take appropriate measures to invalidate them.”

Proton malware Elmedia-Player-application

The company Eltima is also suggesting a total system OS reinstall to rid the infected systems of this malware.

“A total system OS reinstall is the only guaranteed way to totally rid your system of this Malware,” it warned. “This is a standard procedure for any system compromise with the affection of administrator account.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – supply chain attack, Proton malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment