The handlers of the project urge users to verify the SHA1 or SHA256 sum of the file before running it.
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793
“Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it.” reads a security warning published on the HandBrake forum.
“Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period.”
The software contained a new strain of the Proton malware for MacOS that is a remote access tool (RAT) available for sale on some cybercrime forums.
The Proton RAT first appeared in the threat landscape last year, the variant recently advertised on hacking forums includes many features such as the ability to execute console commands, access the user’s webcam, log keystrokes, capture screenshots and open SSH/VNC remote connections. The malicious code is also able to inject malicious code in the user’s browser to display popups asking victims’ information such as credit card numbers, login credentials, and others.
In order to obtain admin privileges, the rogue HandBrake installer asked Mac users for their password under the guise of installing additional video codecs.
According to the security expert Patrick Wardle, the Proton variant used in this attack was not detected by antimalware engines on VirusTotal.
The advisory published on the HandBrake forum also provides manual removal instructions. Mac users who have found the malware on their Macs must change all the passwords stored in their macOS keychains or browsers.
Crooks have used similar tactics in the past to spread malware, the macOS version of the popular Transmission BitTorrent client was found distributing Mac malware two times.
(Security Affairs – HandBrake, Proton RAT)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.