The HandBrake squad issued a security alert on Saturday, warning Mac users that 1 of its mirror servers to download the software has been compromised yesteryear hackers.
In illustration you lot aren't aware, HandBrake is an opened upwards source video transcoder app that allows Mac users to convert multimedia files from 1 format to another.
According to the HandBrake team, an unknown hacker or grouping of hackers compromised the download mirror server (download.handbrake.fr) too hence replaced the Mac version of the HandBrake customer (HandBrake-1.0.7.dmg) alongside a malicious version infected alongside a novel variant of Proton.
Originally discovered inwards Feb on a Russian surreptitious hacking forum, Proton is a Mac-based remote access trojan that gives attackers source access privileges to the infected system.
The affected server has been near downwards for investigation, only the HandBrake squad is warning that anyone who has downloaded HandBrake for Mac from the server betwixt May two too May 6, 2017, has a "50/50 chance" of getting their Mac infected yesteryear Proton.
How to Check if You're Infected?
The HandBrake squad has provided instructions for less technical folks, who tin post away cheque if they've been infected.
Head on to the OSX Activity Monitor application, too if you lot run into a procedure called "Activity_agent" there, you lot are infected alongside the trojan.
You tin post away besides cheque for hashes to verify if the software you lot convey downloaded is corrupted or malicious. The infected app is signed alongside the next hashes:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274If you lot convey installed a HandBrake.dmg alongside the to a higher house checksums, you lot are infected alongside the trojan.
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793
How to Remove the Proton RAT?
The HandBrake developers convey besides included removal instructions for Mac users who convey been compromised.
Follow the next instructions to take away the Proton Rat from your Mac:
Step 1: Open upwards the "Terminal" application too run the next command:
launchctl unload /Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf /Library/RenderFiles/activity_agent.app
Step 2: If /Library/VideoFrameworks/ includes proton.zip, take away the folder.
Step 3: in 1 lawsuit done, you lot should take away whatever installations of Handbrake.app you lot may find.
However, instead of stopping here; caput on to your settings too alter all the passwords that are stored inwards your OS X KeyChain or whatever browser password stores, every bit an extra safety measure.
Meanwhile, Mac users who convey updated to HandBrake version 1.0 or after are non affected yesteryear the issue, every bit it uses DSA signatures to verify the downloaded files, hence malware-tainted version reportedly would non give-up the ghost the DSA verification process.
