Legitimate software download server was hacked to push Proton Trojan

Developers of an open-source video ripping and conversion software Handbrake issued a report ^[1] earlier this month, informing users about a security infringement which has affected one of the software download servers. The report reveals that Handbrake’s mirror download server download.handbrake.fr was taken down by an unknown group of hackers who have re-programmed it to deliver a dangerous Proton Trojan disguised as the legitimate software. The users who have downloaded Handbrake between the 2nd and 6th of May, 2017 probably had no idea they were about to become victims of this stealthy backdoor attack. The hack was specifically targeted towards Mac OS X users. Upon installation, the malware asked victims for the administration password which was then immediately forwarded to the criminal servers along with a bunch of other information extracted from the infected device. The stolen data included password keychains, vaults and other sensitive information that may have been used to hijack and take full control of the device. Such device may then be used to spy on the victim, phish out some online banking details and, eventually, rob you off your money.

In fact, Proton backdoor is currently up for sale on the dark web, and it does not come cheap. Criminals demand $63,000 from anyone who also wants a bite of the extortion cake. This software grants an evil privilege of using various data tracking tools, including keylogging, remote login access, webcam control, desktop screenshot and recording ability. Such tracking can easily result in major financial losses and identity theft so, it goes without saying that the users must take all measures possible to terminate the Trojan. But how can you tell whether the software you have downloaded is really a backdoor carrier? After all, Handbrake creators themselves say that there is 50-50 percent chance of infection ^[2]. Luckily, malware researcher Amit Serper has an answer to that. What he suggests doing is looking at your OSX Activity Monitor’s process list. If you see “activity_agent” process running on it — you are probably infected. Besides, Proton keeps the data it steals in the proton.zip file which is typically stored in the ~/Library/VideoFrameworks directory. The presence of this file is another tell-tale sign your device might be infected. If you notice any of these symptoms or other suspicious behavior on your Mac, do not shove it under the rug. Investigate your computer by running a scan with a trusted antivirus utility.