![]() an application name 'activity_agent.app in ~/Library/RenderFiles/.To check if you're infected, look for the following: However as is often (always!?) the case, no anti-virus products flagged the malware :( So if you recently download HandBrake, unless you were running something like BlockBlock you'd likely have been infected. Luckily the trojaned disk image was only online for a few days. With access to HandBrake's mirror, they trojaned the legitimate application, meaning any user who downloaded the application would inadvertently infect themselves! Interested in the technical details of OSX/Proton? I wrote it in a new blog, "OSX/Proton.B (a brief analysis, at 6 miles up)".Īs with KeRanger and Keydnap, hackers targeted an official distribution website of legitimate macOS software. Initial triage confirms, yes this a variant of OSX/Proton ('B'), although some of the features found in the 'A' variant, (such as the ability to take screenshots) are not present.Īgain, unsurprisingly this new variant of OSX/Proton is also currently undetected by any anti-virus engines on VirusTotal: With the HandBrake hack, finally now we have a variant for analysis :). However, the malware author was kind enough to describe ('advertise') its capabilties: Though Apple released an XProtect signature for it, the sample was never publicly shared. Proton (variant 'A') was discussed earlier this year by the media (for example, see: "Hackers Selling Undetectable Proton Malware for macOS in 40 BTC") Users/user/Library/RenderFiles/activity_agent.app/Īccording to the HandBrake advisory, the malware's peristent component, activity_agent.app is a 'a new variant of OSX.PROTON' Thankful, BlockBlock can alert us of this fact:ĭumping the Launch Agent plist file ( fr.handbrake.activity_ist), we can see the malware has been set to automatically start each time the user logs in: If the user is tricked into providing a user name and password the malware will install itself ( /tmp/HandBrake.app) persistently as: 'activity_agent.app'. Once the /tmp/HandBrake.app is launched, it displays a (fake) authentication popup - which is how the malware attempts to elevate its privileges: This 'nib' is a password protected zip file who's password is: qzyuzacCELFEYiJ52mhjEC7HYl4eUPAR1EEf63oQ5iTkuNIhzRk2JUKF4IXTRdiQ unzips Contents/Resources/HBPlayerHUDMainController.nib to /tmp/HandBrake.app .So yah, when run, the infected Handbrake application: In order to facilitate malware analysis I wrote a simple user-mode 'process monitor' library that allows us to easy track what application is doing - in terms of spawning other processes, etc:īinary=/Volumes/HandBrake/HandBrake.app/Contents/MacOS/HandBrakeĪrgs: "-c", "pgrep -x activity_agent & echo Queue.hbqueue"Īrgs: "-P", "qzyuzacCELFEYiJ52mhjEC7HYl4eUPAR1EEf63oQ5iTkuNIhzRk2JUKF4IXTRdiQ", "/Volumes/HandBrake/HandBrake.app/Contents/Resources/HBPlayerHUDMainController.nib", "-d", "/tmp" Since it's the weekend - I'm going to take the 'lazy' (efficient?) route and basically just run the infected application and see what happens :) ![]() dmg (I've shared it here password: infect3d), analysis can commence. dmg was submitted for analysis, no anti-virus engines are currently flagging it. Hopping over to VirusTotal, we can see that while this. The security alert also provided a hash of the disk image ( 0935a43ca90c6c419a49e4f8f1d75e68cd70b274) that was trojaned by the hackers. You have 50/50 chance if you've downloaded HandBrake during this period. Anyone who has downloaded HandBrake on Mac between and needs to verify the SHA1 / 256 sum of the file before running it.Īnyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |