Crooks hacked Eltima's servers to distribute OSX/Proton Trojan

Eltima website was hacked to distribute maliciously modified Elmedia Player

Crooks compromised Eltima's website to spread OSX/Proton malware

The developer of several popular macOS and Windows apps, Eltima, was hacked in the second half of October.[1] Attackers explicitly targeted macOS users since the player program is designed for Apple devices. Criminals interchanged the original Elmedia Player installer with the trojanized one.

According to the researchers, it was available for almost 24 hours, and around 1000 people downloaded it. Once installed, the malware opened a fake apple password authorization window and lured users into giving the access to Admin accounts.

Researchers[2] informed the company about the compromised player, and it has eliminated the access to download the corrupted files on October 19.

Representatives of Eltima explained that the criminals circumvented the system by using a vulnerability in their JavaScript-based library (also know as TinyMCE). Hackers bundled the Elmedia Player with MacOSX/Proton[3] malware that is remotely accessed on the underground.

Proton malware gathers a vast of personal information

Cybercriminals are excited to use the MacOSX/Proton since it opens possibilities to collect personal data such as browsing history, cookies, passwords, access to cryptocurrency wallets and many other. This may lead to substantial financial damages, privacy issues or even identity theft.

Eltima warns that if you have downloaded an Elmedia Player before October 19, 3:15 PM, your computer is most probably infected. Our IT specialist recommend checking for these folders on your computer to determine the presence of the malware:

  • /Library/.rand/
  • /tmp/
  • /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
  • /Library/.rand/

Moreover, Proton malware allows installation of additional viruses on the infected system remotely. Thus, the removal of the malicious program becomes a complicated process because you may never know what type of other malware it stealthily installed.

Criminals used fake Apple ID to bypass Gatekeeper

Attackers used a fake developer ID under the name of Clifton Grimm in order to preserve the download verification by Gatekeeper[4] before allowing to run. Thus, the victims did not know about the malicious program being installed.

Apple immediately removed fraudulently obtained fake Apple ID. However, it raises concern about the safety of the ID system.

There have been similar attacks performed earlier

A similar attack was performed on the HandBrake website in May[5]. Malevolent people bundled Proton virus with the original program by damaging the video converter application. Analysts state that there is a possibility that both of the attacks were perpetrated by the same group of hackers.

Thus, we strongly recommend being aware of the possible threats and consequences that may arise from the attacks of cyber criminals. Researchers inform that the only way to remove the malware is to reinstall the macOS entirely.

Also, note that the personal information mentioned above is compromised. Therefore, we encourage you to contact your bank to inform about the possible unauthorized transactions from your account and further protect other valuable data.

About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions