Thanks to Anna Szalay and Xinran Wu of SophosLabs for their behind-the-scenes work on this article.
Last week, crooks managed to break into one of the download servers of a popular open-source video converter program called HandBrake.
The crooks then uploaded a hacked version of the official Mac download.
As a result, anyone who installed or reinstalled HandBrake Version 1.0.7 recently may have ended up with malware known as OSX/Proton-A.
We say “may” because there are two Handbrake download servers, but only one of them – the secondary server that acts as a mirror, or live backup, of the main server – was hacked.
As far as we can see from the HandBrake team, the load is split 50:50 between the two servers, so you had a 50% chance of getting infected during the danger period: Tuesday 2017-05-02T14:30Z to Saturday 2017-05-06T11:00Z.
The malware-infected download looks similar to the real thing when it’s opened:
The HandBrake app inside the DMG file starts running just as you might expect, but has had extra “secret sauce” compiled into it:
The HandBrake needs to install additional codecs prompt should ring alarm bells:
- “Need a codec” is an old trick used by cybercrooks, so be suspicious of prompts like this on that basis alone. (Codec is a widely-used jargon term meaning coder/decoder.)
- A decent video player or converter may offer to download additional codecs, for example if you try to watch a video in some unusual format, but be wary of apps that force extra codecs on you at the start.
- A self-contained app shouldn’t need your system password just so it can download extra or updated components, in the same way your browser doesn’t need your password every time you initiate a download, so avoid entering your password in cases like this.
Nevertheless, it’s easy to fall for a fake password dialog of this sort: both Java and Flash, for example, arrive as installers (.pkg files) rather than as self-contained apps (.app directories) like HandBrake, and both of them ask for your password at install time.
In fact, the above fake password dialog comes from additional code that’s been compiled into the fake HandBrake distribution: the malware app ends up installed by the innocent-sounding name of activity_agent.
If you give activity_agent your Mac password, you are authorising it to run with administrative powers, as well as to access password-protected personal information such as your Mac Keychain.
(Keychain is your Mac’s built-in password manager, typically storing everything from Wi-Fi keys to email and other account passwords.)
In fact, activity_agent goes after a whole raft of “digital lifestyle” data, packaging it up into a series of ZIP files that are hidden in plain sight in a directory called ~/Library/VideoFrameworks.
Files that may end up stashed there so the crooks can fetch them later include:
- KC.zip: Copies of your Keychain data.
- CR.zip: Chrome profile data, bookmarks, history, saved web data and more.
- CR_def.zip: Chrome default data.
- FF.zip: Firefox history, cookies, form history, login history, and more.
- SF.zip: Safari cookies and form history.
- OP.zip: Opera login data, cookies, saved web data and more.
- GNU_PG.zip: GNU Privacy Guard passwords and more.
- proton.zip: A ZIP containing all the above ZIPs.
The OSX/Proton-A malware can also interfere with existing network and application security tools for the Mac, including LittleSnitch, Radio Silence, HandsOff and popular network monitoring tool Wireshark, as well killing off any open terminal windows you may have, presumably in case you’re a malware researcher trying to collect run-time information about it.
What to look for
Proton sets itself up to load every time you login, so if you are infected you will probably see some or all of these:
- A directory called
~/Library/RenderFiles/activity_agent.app. This is the permanently installed malware. - A process called
~/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent. This means the malware loaded when you logged in. - A file called
~/Library/LaunchAgents/fr.handbrake.activity_agent.plist. This is the configuration file that tells your Mac to load the malware every time you login. - One or more ZIP files in the directory
~/Library/VideoFrameworksas listed above. - A directory called
/tmp/HandBrake.app. This is a temporary copy of the malware used when it runs for the first time to install all the abovementioned files and processes. - A process called
/tmp/Handbrake.app/Contents/MacOS/HandBrake. This is the running version of the previous file.
(Note that the characters ~/ in a Mac directory name work as a shorthand for your home directory, usually called something like /Users/yourname/.)
In our tests, the activity_agent.plist file was not created correctly, and was incapable of re-launching the malware at logon.
Nevertheless, the malware gets to run at least once, thanks to the boobytrapped HandBrake app itself, so you may still have had your passwords and browsing history grabbed even if the malware doesn’t reload when you reboot.
Removing the malware
From a terminal window, try these commands:
$ killall HandBrake $ launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist $ rm -rf /tmp/HandBrake.app (if it exists) $ rm -rf ~/Library/RenderFiles/activity_agent.app (if it exists)
Also, look in ~/Library/VideoFrameworks (if it exists) for the ZIP filenames listed above.
If proton.zip exists, so will at least one of the others, all containing personal information; these files should be deleted.
Lastly, if you installed the Handbrake app from the downloaded DMG into your own /Applications directory (or, indeed, anywhere else), don’t forget to remove it, too, and then discard the rogue DMG, or else the whole saga will happen all over again.
What to do?
If you downloaded the Handbrake Version 1.0.7 DMG outside the timeframe listed above, you are fortunate: you missed the infectious window.
If you downloaded the DMG within the infectious window timeframe, you have a 50% chance of being OK, because only the mirror server was hacked.
If you updated Handbrake using its own Check for Updates... option, you are OK because only the full DMG on the mirror server was changed.
But if you did get infected, and you did find that dreaded proton.zip file, you need to assume the worst: that the crooks know some or all of your passwords.
That means that we have to advise you to reset all of your passwords as soon as you can – after making sure you’ve removed the malware so that you don’t end up having your new passwords ripped off, too.
If you haven’t already, turn on two-factor authentication (2FA, also known as 2SV, or two-step verification) for all the accounts you can.
2FA usually requires you to enter a one-time code that changes every time, as well as entering your password, which makes each password less valuable to the crooks because it’s little or no use on their own.
You may well remember that a popular open source Bittorrent app called Transmission got hacked in 2016 in a very similar way. Not once, but twice in quick succession. You may also have wondered, given that the words handbrake and transmission both have an automotive connection, whether there’s any connection between the apps, given that the project teams seem to have been similarly careless about security. There is a connection, but it’s historical: the same author created both apps, but he is not part of the current HandBrake team.