HandBrake Malware Targets Mac Users Via Download Server Hack

Hackers last week replaced the latest Mac version of the HandBrake DVD ripping software with a file-stealing trojan horse

The developers of HandBrake, a popular open source software program for copying video from a DVD to computer storage, have warned some MacOS versions of the software were replaced by malware in an apparent hack last week.

An infected version of the software’s installer was placed on one of the project’s download mirror servers, download.handbrake.fr, and was made available to users from Sunday 2 May to Thursday 6 May, developers said.

’50 percent chance of infection’

While the primary download mirror and website weren’t affected, the project urged users who downloaded and installed the software last week to check for an infection.

“You have 50/50 chance if you’ve downloaded HandBrake during this period,” the project’s developers wrote in an advisory.

HandBrake is also available for Windows and Linux, but those versions weren’t affected, developers said.

HSBC, security
Hackers replaced the installer file HandBrake-1.0.7.dmg with an infected version that installs a variant of the OSX Proton trojan horse. 

OSX Proton provides attackers with remote access to infected systems, allowing them to potentially steal files, monitor what the user is typing, take screenshots or to carry out other malicious activities, according to security researchers.

Users can detect an infection by searching for a process called “Activity_agent” in MacOS’ Activity Monitor or verifying the checksums of the version of HandBrake they installed. 

Password compromise

If the trojan is found to be present, the procedure for removing it is straightforward, but developers also advised users to change all the passwords that may have been present in MacOS’ Keychain or in browser password stores, as they may have been compromised.

The malicious installer’s checksum hashes don’t match those of the official version, meaning that if users have version 1.0 or later installed the infected update would not have been automatically installed.

However, versions 0.10.5 and earlier don’t verify updates, meaning they may have automatically installed the infected file.

apple-macos-sierra-3HandBrake’s developers said the affected download mirror has been shut down and is to be rebuilt from scratch.

Some users writing on the discussion forums of the MacRumors website said they had been infected after downloading the malicious update from the HandBrake website, with one user saying the malware had caused a number of suspicious pop-up windows to appear, asking for a system password.

“If you see any suspicious password dialogs, do not enter your password,” the user wrote.

Security experts noted that while Mac users are targeted less frequently than Windows systems, they may be more vulnerable since they’re less likely to be running security software.

“Yes, there’s a lot less malware for Mac OS X than there is for Microsoft Windows, but that’s going to be little consolation if you’re unfortunate enough to find yourself a victim,” wrote computer security expert Graham Cluley in a blog post. “Personally I think any Mac users connecting to the internet without an anti-virus solution in place is being downright foolhardy.”

Do you know all about security in 2017? Try our quiz!