HandBrake for Mac server compromise means downloaders have 50-50 chance of Proton RAT malware infection
Anyone who downloaded the Mac video transcoder HandBrake in the last few days stands a 50 percent change of being infected with a Trojan. The download for version 1.0.7 of HandBrake was infected after the mirror download server was compromised.
The Trojan allows for an attacker to remotely access an infected computer, and a malware-laced version of the app was made available for download between May 2 and May 6. If you downloaded the app in this window, you're advised to check the SHA1/256 sum, and if you have gone as far as installing the software, there are steps to take to determine if you're infected and remove the malware if you are.
The HandBrake team stresses that it's only the download mirror that was affected; the primary download server was not compromised. It also says that anyone who used the built-in updater to jump to version 1.0.7 will have been protected by DSA signature verification. If you did download the software manually, however, you will need to check for signs of infection.
In a post on the HandBrake support forums, the team behind the app explain how to determine if your system is infected:
If you see a process called "Activity_agent" in the OSX Activity Monitor application. You are infected.
For reference, if you've installed a HandBrake.dmg with the following checksums, you will also be infected:
The Trojan in question is a new variant of OSX.PROTON
Thankfully it is fairly simple to remove the malware if you are infected:
Open up the "Terminal" application and run the following commands:
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Then Remove any "HandBrake.app" installs you may have.