Proton spyware attacks Macs via HandBrake

by Jake Doevan - -

An open source video transcoder, HandBrake, announced that the Mac version of the software is infected with espionage malware and users who recently installed it possibly compromised their devices.[1]

 proton spyware

Consumers were informed of one of the infected HandBrake download servers in May, 2017. Basically anyone who downloaded the Mac software also possibly downloaded a variation of the OSX.PROTON spyware.

Handbrake reported that “anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period”.[2]

Apple excluded the feature preventing new malware into the system from XProtect, the iOS AntiVirus system. Thus, HandBrake encourages consumers to change all their old passwords stored in browsers and in OSX KeyChain.[3]

HandBrake provides completely free software that rips and converts digital video files to work on supported devices. HandBrake offers its users software for Windows, Linux and Mac operating systems, however, the Mac variant is the one which became compromised. Before opening and running the software, users were advised to verify SHA1 or SHA256 checksums.[4]

The bad SHA checksums include:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

“If you see a process called ‘activity_agent’ in the OSX Activity Monitor application, you are infected”, HandBrake advisory noted.

Proton Trojan, also known as Rat, is a remote access piece of malware, which is usually sold in hidden Russian forums.

The Sixgill analysis of the Mac spyware revealed that it is exploited to collect data and spy on users’ activities, including capabilities to monitor keystrokes, install files from the Internet, upload documents and files to remote devices, take and steal screenshots. It connected via SSH or VNC.

According to the Sixgill, “the malware is shipped with genuine Apple code-signing signatures. This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program”.

Researchers also provide information about the price, which is 100 Bitcoin (at the moment, about $163,600).

A Mac security expert, Patrick Wardle, stated that the mentioned malware does not have any coverage on VirusTotal. Thus, the compromised HandBrake asks via a phony authentication popup for the victim’s data. As a result, “If the user is tricked into providing a user name and password, the malware will install itself”, according to P. Wardle.[5]

The attackers that created and infected HandBrake used similar techniques as the KeRanger – another Mac malware. KeRanger compromised Transmission, the legitimate BitTorren customer, which also was established by the same author. However, The HandBrake advisory noted that it doesn’t share a base with Transmission.

“The HandBrake Team is independent of the Transmission Developers. The projects share history in the sense that the same author created these apps but he is not part of the current HandBrake team of developers. We do not share our virtual machines with the Transmission project.”

HandBrake also provided the information on how to get rid of the Trojan to its customers.

“The Download Mirror Server is going to be completely rebuilt from scratch so downloads may be a bit slower than usual while the primary picks up the load. During this time, old versions of HandBrake will not be available,” – said HandBrake.


About the author

Jake Doevan
Jake Doevan - Computer security guru

Jake Doe is a security expert and news editor of His major is Communication and Journalism, which he obtained from the Washington and Jefferson College.

Contact Jake Doevan
About the company Esolutions


now online
Like us on Facebook