Alert to Mac users

By Balamurugan Selvaraj Published on May 10, 2017 03:53 PM IST

A few days back, HandBrake team warned users that one of its mirror servers has been controlled by some hackers. HandBrake is an open source video source transcoder app to convert video from one format to another. So, the company had warned its Mac users to uninstal the malicious version.

On 6 May, the company warned its users about this security flaw in its servers. According to HandBrake team, an unknown hacker or group had been taken over one of the downloading mirror servers  i.e (download.handbrake.fr) and the actors replaced the Mac version of HandBrake client (HandBrake-1.0.7.dmg) with the malicious version including the latest version of proton.

Proton - Mac-based Trojan - was initially discovered by Russian underground hacking forum in February. This Trojan is designed to give root access of the infected system to the attacker.

Though the affected server has been deactivated for further investigation, still, the company has warned its users that, 'Users who had downloaded HandBrake for Mac from the infected server between 2 May and 6 May 2017, have a '50/50 chance' of getting their Mac infected by Proton.'

The team also provided some instructions to check whether its users had been infected or not. In the OSX activity monitor application, if there is any process called 'Activity agent', then the PC is infected with Proton. Also, by looking on to the hashes in the downloaded software, the sign of infection can be found. The checksums are:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274

SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

If you have downloaded  and installed the software with the above mentioned checksum with the hashes, you're system is infected with the Trojan. The company has also mentioned the instructions to remove the Proton from the infected system.

They are:

Step 1: Open up the 'Terminal' application and run the following command: launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist rm -rf  ~ / Library/RenderFiles/activity_agent.app

Step 2: If ~/Library/VideoFrameworks/ includes proton.zip, remove the folder

Step 3: After this, remove all the installations of HandBrake from the PC.

As a security measure, go to settings and change the passwords, which were stored on OS X keychain and also on browser password stores.

User who updated to HandBrake version 1.0 or above were not affected by this issue. Because, it uses DSA signatures to verify the downloaded files. This is an alert to Mac users, who have installed HandBrake transcoder app knowingly or unknowingly, which has been infected with dangerous remote access Trojan.