Site icon Sophos News

Mac video app HandBrake – now with free spyware

Thanks to Anna Szalay and Xinran Wu of SophosLabs for their behind-the-scenes work on this article.

Last week, crooks managed to break into one of the download servers of a popular open-source video converter program called HandBrake.

The crooks then uploaded a hacked version of the official Mac download.

As a result, anyone who installed or reinstalled HandBrake Version 1.0.7 recently may have ended up with malware known as OSX/Proton-A.

We say “may” because there are two Handbrake download servers, but only one of them – the secondary server that acts as a mirror, or live backup, of the main server – was hacked.

As far as we can see from the HandBrake team, the load is split 50:50 between the two servers, so you had a 50% chance of getting infected during the danger period: Tuesday 2017-05-02T14:30Z to Saturday 2017-05-06T11:00Z.

The malware-infected download looks similar to the real thing when it’s opened:

The HandBrake app inside the DMG file starts running just as you might expect, but has had extra “secret sauce” compiled into it:

The HandBrake needs to install additional codecs prompt should ring alarm bells:

Nevertheless, it’s easy to fall for a fake password dialog of this sort: both Java and Flash, for example, arrive as installers (.pkg files) rather than as self-contained apps (.app directories) like HandBrake, and both of them ask for your password at install time.

In fact, the above fake password dialog comes from additional code that’s been compiled into the fake HandBrake distribution: the malware app ends up installed by the innocent-sounding name of activity_agent.

If you give activity_agent your Mac password, you are authorising it to run with administrative powers, as well as to access password-protected personal information such as your Mac Keychain.

(Keychain is your Mac’s built-in password manager, typically storing everything from Wi-Fi keys to email and other account passwords.)

In fact, activity_agent goes after a whole raft of “digital lifestyle” data, packaging it up into a series of ZIP files that are hidden in plain sight in a directory called ~/Library/VideoFrameworks.

Files that may end up stashed there so the crooks can fetch them later include:

The OSX/Proton-A malware can also interfere with existing network and application security tools for the Mac, including LittleSnitch, Radio Silence, HandsOff and popular network monitoring tool Wireshark, as well killing off any open terminal windows you may have, presumably in case you’re a malware researcher trying to collect run-time information about it.

What to look for

Proton sets itself up to load every time you login, so if you are infected you will probably see some or all of these:

(Note that the characters ~/ in a Mac directory name work as a shorthand for your home directory, usually called something like /Users/yourname/.)

In our tests, the activity_agent.plist file was not created correctly, and was incapable of re-launching the malware at logon.

Nevertheless, the malware gets to run at least once, thanks to the boobytrapped HandBrake app itself, so you may still have had your passwords and browsing history grabbed even if the malware doesn’t reload when you reboot.

Removing the malware

From a terminal window, try these commands:

$ killall HandBrake

$ launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist

$ rm -rf /tmp/HandBrake.app (if it exists)

$ rm -rf ~/Library/RenderFiles/activity_agent.app (if it exists)

Also, look in ~/Library/VideoFrameworks (if it exists) for the ZIP filenames listed above.

If proton.zip exists, so will at least one of the others, all containing personal information; these files should be deleted.

Lastly, if you installed the Handbrake app from the downloaded DMG into your own /Applications directory (or, indeed, anywhere else), don’t forget to remove it, too, and then discard the rogue DMG, or else the whole saga will happen all over again.

What to do?

If you downloaded the Handbrake Version 1.0.7 DMG outside the timeframe listed above, you are fortunate: you missed the infectious window.

If you downloaded the DMG within the infectious window timeframe, you have a 50% chance of being OK, because only the mirror server was hacked.

If you updated Handbrake using its own Check for Updates... option, you are OK because only the full DMG on the mirror server was changed.

But if you did get infected, and you did find that dreaded proton.zip file, you need to assume the worst: that the crooks know some or all of your passwords.

That means that we have to advise you to reset all of your passwords as soon as you can – after making sure you’ve removed the malware so that you don’t end up having your new passwords ripped off, too.

If you haven’t already, turn on two-factor authentication (2FA, also known as 2SV, or two-step verification) for all the accounts you can.

2FA usually requires you to enter a one-time code that changes every time, as well as entering your password, which makes each password less valuable to the crooks because it’s little or no use on their own.

You may well remember that a popular open source Bittorrent app called Transmission got hacked in 2016 in a very similar way. Not once, but twice in quick succession. You may also have wondered, given that the words handbrake and transmission both have an automotive connection, whether there’s any connection between the apps, given that the project teams seem to have been similarly careless about security. There is a connection, but it’s historical: the same author created both apps, but he is not part of the current HandBrake team.


Exit mobile version