Hackers compromised a download server for HandBrake, a popular open-source program for converting video files, and used it to distribute a macOS version of the application that contained malware.

The HandBrake development team posted a security warning on the project’s website and support forum on Saturday, alerting Mac users who downloaded and installed the program from May 2 to May 6 to check their computers for malware.

The attackers compromised only a download mirror hosted under download.handbrake.fr, with the primary download server remaining unaffected. Because of this, users who downloaded HandBrake-1.0.7.dmg during the period in question have a 50/50 chance of having received a malicious version of the file, the HandBreak team said.

Users of HandBrake 1.0 and later who upgraded to version 1.0.7 through the program’s built-in update mechanism shouldn’t be affected, because the updater verifies the program’s digital signature and wouldn’t have accepted the malicious file.

Users of version 0.10.5 and earlier who used the built-in updater and all users who downloaded the program manually during those five days might be affected, so they should check their systems.

According to an analysis by Patrick Wardle, director of security research at Synack, the trojanized version of HandBrake distributed from the compromised mirror contained a new version of the Proton malware for macOS.

Proton is a remote access tool (RAT) sold on cybercrime forums since earlier this year. It has all of the features typically found in such programs: keylogging, remote access via SSH or VNC, and the ability to execute shell commands as root, grab webcam and desktop screen shots, steal files and more.

In order to obtain admin privileges, the malicious HandBrake installer asked victims for their password under the guise of installing additional video codecs, Wardle said.



Source link