HandBrake For Mac Mirror Server Was Compromised And Infected With PROTON Malware

HandBrake is an open-source and free transcoder for digital video files. It makes ripping a film from a DVD to a data storage device such as NAS boxes easier. HandBrake works Linux, macOS, and Windows. A Recent version of Handbrake for Mac and possibly other downloads at the same site infected with malware. If you have downloaded HandBrake on Mac between 2/May/2017 and 06/May/2017, you need to delete the file ASAP. HandBrake infected with a new variant of OSX.PROTON malware.

HandBrake

HandBrake

ADVERTISEMENTS

What happened?

  1. HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/HandBrake/wiki/Checksums
  2. The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.
  3. The Primary Download Mirror and website were unaffected.
  4. Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don’t pass.
  5. Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases

How do I find out if my macOS was compromised?

From the official forum:

If you see a process called “Activity_agent” in the OSX Activity Monitor application. You are infected. For reference, if you’ve installed a HandBrake.dmg with the following checksums, you will also be infected:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

The Trojan in question is a new variant of OSX.PROTON

How do I remove it?

Open up the “Terminal” application and run the following commands:
$ launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
$ rm -rf ~/Library/RenderFiles/activity_agent.app

if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder. Then Remove any “HandBrake.app” installs you may have.

Connection between Transmission’s malware hack

It seems that the author/developer of Transmission and Handbrake are the same people. In past Transmission’s download being replaced with infected malware too. Coincidence? I don’t think so.

For more info see:

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
2 comments… add one
  • Scott May 7, 2017 @ 11:59

    “It seems that the author/developer of Transmission and Handbrake are the same people. In past Transmission’s download being replaced with infected malware too. Coincidence? I don’t think so.”

    The developers are 2 different groups of people. The original developer who created the projects doesn’t work on them now and hasn’t for a long time. HandBrake has it’s own Virtual Machines that are independent of whatever Transmission runs.

  • Dana May 8, 2017 @ 1:20

    You need to be in terminal root then search system files to assure all are gone as it loads again at boot up.
    Also: I found s second file – activity_agent.plist.e.
    This needs to be removed too.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.