Since the user’s password was phished previously, that can be used to unlock the keychains, and either it or other passwords found in the keychain may be able to unlock other encrypted files. These files contain a number of bits of data to be exfiltrated from the machine, such as browser data (including stored form auto-fill data), keychains, and even 1Password vaults. The malware will create some or all of the following files: ~/Library/VideoFrameworks/CR_def.zip It’s a phishing dialog displayed by the malware to obtain your password, which will be sent in clear text to apihandbrakebiz, the command & control (C&C) server for this malware. The fact that the malware requests an admin password yet installs all components in user space where no admin password is needed was initially puzzling, but that password request is actually not a system-generated prompt. plist template, then uses the Unix sed command to search for and replace the P_MBN and P_UPTH values but fails to do some in some cases. Thus, the malware does not always successfully install. It appears that the malware installs this. In another install, the launch agent contained the following non-functional plist data: On the first install, it also dropped a non-functional launch agent named fr.handbrake.activity_ist-e with some of the contents missing. However, it seems that this malware may be a bit buggy. The launch agent runs the activity_agent app at login and keeps it running in the event something terminates it. If the password is given, the malicious app will install the malware on the system in the following locations: ~/Library/LaunchAgents/fr.handbrake.activity_ist Hopefully, the same will happen for HandBrake, but at the time of this writing that has not been done yet. When the same thing happened to the Transmission app, the Transmission Project quickly put out an update that would replace the infected app with a clean one, as well as cleaning up any traces of the infection on the system. Unfortunately, checking for updates in the malicious copy does not result in any kind of a warning. Still, I wouldn’t trust that copy of the app at all, even if it doesn’t appear to be dropping the payload under those conditions. Further, in my testing, there were no additional prompts in opening the app after the first. If you are suspicious and click the Cancel button, it seems that the malware is not installed. However, for a new user, or someone installing an update who isn’t yet familiar with the behavior of that update, this may not raise any red flags. This is not normal for HandBrake, which may tip off a veteran user of the software. The malicious copy of HandBrake, when run, will immediately ask for an admin password. Unfortunately, HandBrake is not code signed, so there’s no real way to verify with 100% certainty that the copy you have has not been tampered with. However, there’s a big problem with this: If the website has been hacked to replace the legit copy of the software with a bad one, it’s reasonable to assume that the checksums there could be replaced with bad ones as well. If you download a new copy of HandBrake, you can check it against the checksums listed on the HandBrake site to verify that it is valid. I say “in theory” because we don’t know yet how the HandBrake site was hacked and what mitigations have been put in place to prevent future hacks. We detect this malware as OSX.Proton.Īt this point, you can – in theory – safely download a new copy of HandBrake. dmg file in the trash, delete your copy of HandBrake, and scan your Mac with Malwarebytes for Mac. Note that you can drag a file onto the Terminal window to insert its path into the command automatically.)Ĭompare the value returned by this command to the SHA1 hash. (Of course, be sure to insert the proper path to the. To do this, enter the following command in the Terminal app (found in the Utilities folder in the Applications folder): The security warning provides SHA1 and SHA256 hashes for the malicious HandBrake-1.0.7.dmg file, recommending that you check this against the hash of your download before installing. Both the HandBrake website and the copy of HandBrake available via Homebrew (a command-line software installation system) were affected. This issue was discovered and the malicious app was removed on May 6, also a security warning was posted on the HandBrake website. The real HandBrake 1.0.7 app was replaced with a malicious copy on May 2. Now, the same thing has happened to the popular DVD-ripping HandBrake app, which is installing a new variant of the Proton malware. Last year, the Transmission torrent app was hacked not just once, but twice, to install the KeRanger ransomware and, later, the Keydnap backdoor.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |