HandBrake For Mac Mirror Server Was Compromised And Infected With PROTON Malware

Posted on in Categories Open Source, Security last updated May 7, 2017

HandBrake is an open-source and free transcoder for digital video files. It makes ripping a film from a DVD to a data storage device such as NAS boxes easier. HandBrake works Linux, macOS, and Windows. A Recent version of Handbrake for Mac and possibly other downloads at the same site infected with malware. If you have downloaded HandBrake on Mac between 2/May/2017 and 06/May/2017, you need to delete the file ASAP. HandBrake infected with a new variant of OSX.PROTON malware.

HandBrake
HandBrake

What happened?

  1. HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/HandBrake/wiki/Checksums
  2. The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.
  3. The Primary Download Mirror and website were unaffected.
  4. Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don’t pass.
  5. Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases

How do I find out if my macOS was compromised?

From the official forum:

If you see a process called “Activity_agent” in the OSX Activity Monitor application. You are infected. For reference, if you’ve installed a HandBrake.dmg with the following checksums, you will also be infected:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

The Trojan in question is a new variant of OSX.PROTON

How do I remove it?

Open up the “Terminal” application and run the following commands:
$ launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
$ rm -rf ~/Library/RenderFiles/activity_agent.app
if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder. Then Remove any “HandBrake.app” installs you may have.

Connection between Transmission’s malware hack

It seems that the author/developer of Transmission and Handbrake are the same people. In past Transmission’s download being replaced with infected malware too. Coincidence? I don’t think so.

For more info see:

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Share this on:

Tagged as: Tags , , , ,

2 comment

  1. You need to be in terminal root then search system files to assure all are gone as it loads again at boot up.
    Also: I found s second file – activity_agent.plist.e.
    This needs to be removed too.

    Reply Report comment

  2. “It seems that the author/developer of Transmission and Handbrake are the same people. In past Transmission’s download being replaced with infected malware too. Coincidence? I don’t think so.”

    The developers are 2 different groups of people. The original developer who created the projects doesn’t work on them now and hasn’t for a long time. HandBrake has it’s own Virtual Machines that are independent of whatever Transmission runs.

    Reply Report comment

Leave a Comment