Russian RATs bite Handbrake OSX download mirror
Check your hash, delete the app, change your passwords
If you use the popular video transcoder Handbrake on a Mac, the distributors want you to check the download hash after one of their mirrors was compromised.
Users who downloaded a trojan-infected version of Handbrake will need to change all their KeyChain passwords (lovely), and any passwords they stored in their browsers.
The announcement is in this note posted to the application's forums on Saturday.
The distributors say they're still investigating the compromise, which happened between 2 May 2017 (14:30 UTC) and 6 May 2017 (11:00 UTC).
“Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you've downloaded HandBrake during this period,” the note states. Windows users aren't affected.
The note says Mac users can check if they've been infected in Activity Monitor, because the malicious app runs a process called
Activity_agent. The infection is a new version of OSX.PROTON, a Russian-attributed remote access trojan (RAT) first seen in February.
The removal instructions (in Terminal) given in the post are:
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
After which, the user should remove any installations of Handbrake.app they can find.
The organisation doesn't know how the attackers got access to the secondary download mirror, but they've shut it down. The post adds that Apple started rolling out detection to its OSX Protect over the weekend. ®