On Saturday, the 6th of May, owners of a favored tool for video-conversion called HandBrake published an article on their forum. They began by saying that this post is relevant to those surfers who installed HandBrake during the period from 2nd to 6th of May. The company apologizes that they were unable to prevent hackers from polluting their mirror download server with malware. On its own, HandBrake is a secure tool and people can be recommended to download it. However, since crooks managed to influence this tool with a Trojan, users should analyze whether they are using a secure sample.
How to know If I am infected?
The post in the official forum gave exact directions on how the infection should be recognized. Mac users are supposed to review their Activity Monitor App. If it contains a procedure, labeled as “Activity_agent”, then the HandBrake version you downloaded brought a Trojan into an operating system. You would ask why Windows or Linux users are not addressed in the official warning. It appears that after hijacking HandBrake system, crooks only aimed to taint the Mac-version.
Infected users are dealing with OSX/Proton.A Trojan. Mostly, it gives hackers remote control over the infected operating systems. This means that crooks can silently monitor victims’ activity, learn about the websites he/she visits or the information that is entered. For instance, if user chooses to log into online banking accounts, credentials could be collected thanks to features of taking screenshots or key-loggers.
The latter ones can keep track of the information you type in via your keyboard. Additionally, hackers can violate users’ privacy even further by spying on them via web cameras. Basically, being infected with Proton Trojan is definitely a disturbing incident. Mac malware samples are always dangerous because they can inflict on users that think they are invincible. Therefore, they won’t bother protecting their computer devices with anti-virus or anti-malware tools.
The removal of Proton Trojan
Deleting this infection is not difficult: it is its detection that we are more concerned with. Knowing Mac users, they might not follow security news and won’t recognize that their downloaded HandBrake has brought a malicious companion. For the elimination of this parasite, there are certain steps. Firstly, launch “Terminal” program and execute these commands:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app
if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Then Remove any “HandBrake.app” installs you may have.
However, this is not enough. You are also encouraged to change passwords of all the accounts you accessed after the rogue version of HandBrake was downloaded. This has to be done immediately as hackers won’t take long to steal money from users or commit other crimes once they have opportunities for them. Developers of HandBrake indicated that they are working hard on restoring the Download Mirror server so it would offer only legitimate samples of this clever tool.
Sources: forum.handbrake.fr