The handlers of the project urge users to verify the SHA1 or SHA256 sum of the file before running it.
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793
“Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it.” reads a security warning published on the HandBrake forum.
“Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period.”
The software contained a new strain of the Proton malware for MacOS that is a remote access tool (RAT) available for sale on some cybercrime forums.
The Proton RAT first appeared in the threat landscape last year, the variant recently advertised on hacking forums includes many features such as the ability to execute console commands, access the user’s webcam, log keystrokes, capture screenshots and open SSH/VNC remote connections. The malicious code is also able to inject malicious code in the user’s browser to display popups asking victims’ information such as credit card numbers, login credentials, and others.
In order to obtain admin privileges, the rogue HandBrake installer asked Mac users for their password under the guise of installing additional video codecs.
According to the security expert Patrick Wardle, the Proton variant used in this attack was not detected by antimalware engines on VirusTotal.
The advisory published on the HandBrake forum also provides manual removal instructions. Mac users who have found the malware on their Macs must change all the passwords stored in their macOS keychains or browsers.
Crooks have used similar tactics in the past to spread malware, the macOS version of the popular Transmission BitTorrent client was found distributing Mac malware two times.
(Security Affairs – HandBrake, Proton RAT)