A popular video conversion app for Mac has suffered a malware infection on one of its mirror servers. If you downloaded HandBrake between 10:30 a.m. EDT on May 2, 2017 and 7:00 p.m. EDT on May 6, 2017, you should follow these instructions to check your Mac for a new variant of the malware OSX.PROTON. Yes, HandBrake was compromised by malware.
How Is It That HandBrake Was Compromised By Malware?
Sometime before 10:30 a.m. EDT on May 2, 2017, one of the download mirrors for HandBrake was compromised by malware. An unknown malicious file including the Trojan replaced the installation package HandBrake–1.0.7.dmg.
When the developers behind HandBrake discovered the infection, they posted a notice on the HandBrake forums. HandBrake shut down the affected download server, and is now rebuilding it from scratch.
OSX.PROTON is a remote access Trojan first discovered on a Russian cybercrime message board in early February 2017. The cybercriminals offered the malware with an Apple-approved developer signature to enable it to bypass Apple’s Gatekeeper protection on the victim’s Mac, according to security firm Intego.
After installed, an attacker could gain complete remote access to the user’s computer, including viewing the screen in real time and recording keystrokes. The malware is also capable of uploading your files, downloading additional malware, accessing the webcam, and issuing shell commands, among other nefarious activities.
How to Find Out if Your Copy of HandBrake Is Infected
If you downloaded the video conversion software during the reported timeframe and then installed a HandBrake.dmg file with this checksum, your Mac is infected:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793
You can check this by running the following command in Terminal from the folder containing the install file:
You can also confirm infection by launching Activity Monitor from Applications/Utilities. Look for a process called “activity_agent” or “Activity_agent”. The infection is present if you see that process.
Apple is updating the definitions for OS X and macOS’s XProtect feature, a process that began this morning. The new updates are rolling out soon, if not already. The definition update offers some measure of protection. However, go ahead and follow our removal procedure if the Trojan has already infected your Mac.
Great, It’s Infected My Mac – Now What?
Removal of the malware itself is relatively straightforward and easy. To remove this variant of OSX.PROTON, issue the following commands from the Terminal:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist rm -rf ~/Library/RenderFiles/activity_agent.app
You should also check ~/Library/VideoFrameworks for the presence of a file called “proton.zip.” If it’s there, HandBrake suggests deleting the entire VideoFrameworks folder.
Finally, you should delete the infected HandBrake.dmg file and download it again from a clean mirror. According to HandBrake, the primary download mirror and website are unaffected.
It would also be wise to run additional malware detection software. This is just in case the Trojan has already downloaded any of its friends.
Oh, and one more thing. HandBrake says affected users should change any passwords that might reside in your macOS or OS X Keychain or any browser password stores. Great news, isn’t it?
For more information and updates, be sure to check HandBrake’s announcement of the breach periodically.