OSX Proton Infects Mac OS Via Elmedia Player

The general understanding is that using Mac is a lot safer than a Windows computer. Supposedly, computers that run Windows are more susceptible to malware infections. This is also backed by statistics, but we have to remember that desktop and laptop computer operating system market is mostly comprised of Windows OS. Nevertheless, it does not mean that Mac OS does not get affect by malware. The newest outbreak of the OSX Proton infection proves just that. It might be a little bit more complicated to infiltrate a Mac system, but it does not mean it is impossible. If anything, it seems that the latest malware distribution method cuts down probably one of the most important things out there: the trust between a customer and a developer.

Supply-chain attack

Computer security experts agree that in order to infect or take over a Mac OS, one has to drop a malicious app in the system itself. In other words, it is necessary to trick the system into “thinking” that the malicious program that is about to be installed is legitimate. For that purpose, hackers use the so-called supply-chain attack. When this method is applied, hackers compromise legitimate software servers, infecting real installer files with their malware. This is exactly what happened with the Eltima Software’s Elmedia Player. Cyber criminals compromised at least two apps that are used by many Mac OS users around the globe.

Eltima Software Compromised

It has been reported by ESET Research on October 20th that the OSX Proton Trojan spreads once again through a supply-chain attack. The security research firm has found that two Mac OS apps developed by Eltima Software were trojanized on October 19th. The apps in question were Elmedia Player and Folx download manager. According to the official statements, Eltima Software has at least one million users using their free and subscription-based applications. Therefore, through this hack, a lot of users got exposed to a potential malware infection.

According to the ESET security report, it took Eltima from two to three hours to clean up once it was notified. However, before the company’s servers were clean again, around 1000 users downloaded the said software applications from the company’s website. And the company notified about the breach on their blog almost immediately. The good news was that this hack affected only the installer files available at the company’s website. The automated updates on devices that already had the said apps installed were not compromised.

The reason Eltima managed to clean up relatively fast after the hack is that the company’s development structure was not compromised. The reports say that hackers simply hacked into the company’s website exploiting a vulnerability in a JavaScript library called TinyMCE.

On top of that, the malicious installers that carried malware were also signed by a legitimate Apple developer ID. It should be pointed out that the developer ID did not belong to Eltima Software, but to a third-party developer. On the other hand, the ID was legitimate, so it means that it was either stolen or obtained using a fake ID. The developer ID was revoked by Apple ever since, but it shows that similar behavior may repeat itself in the future. Using Apple-approved developer ID allows criminals to bypass Gatekeeper, the first line of defense. This seems to be a problem Apple will have to tackle in the near future, especially considering that this type of supply-chain attack is not the first this year.

OSX Proton

As far as the malware itself is concerned, the OSX Proton Trojan was already distributed via a supply-chain attack before. Various reports suggest that the infection exploited another Mac OS app called HandBrake back in May. The methods used in the previous attack almost coincide with the Eltima Software hack, so security experts believe that the same hackers made use of both HandBrake and Elmedia Player.

It thus makes us focus on the OSX Proton infection. Perhaps, the most important thing about this Trojan is that it is intended for Mac OS devices. When it gets on the system, it can open a backdoor that allows hackers to control the compromised computer. It can then steal sensitive information and even download more malware on the affected system.

Judging from the data offered by ESET researchers who detected the Eltima Software breach, OSX Proton has extensive stealing capabilities. It can log and share with its command and control center operating system details, browser information, crypto-currency wallets, SSH private data (thus acquiring logins and passwords), Mac OS keychain data, 1Password data, and a lot of other important information. So it is clear that it is an infection one should not mess with.

The good news is that it is possible to check whether a Mac OS device was infected with OSX Proton. Security experts recommend checking the system for the following directories and files:

  • /tmp/Updater.app/

  • /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist

  • /Library/.rand/

  • /Library/.rand/updateragent.app/

Please note that an all-kill is not necessary here: if at least one file or directory is present, it means that OSX Proton is running on the system. Also, the security reports emphasize that if users downloaded the software before 3:15 pm EDT on October 19th, the chance of having the Trojan on their computer is almost 100%.

OSX Proton Removal

Probably, the most frustrating part of this hack and infection is that the best way to get rid of the Trojan is to wipe the affected system clean and reinstall the OS. A full OS reinstall guarantees that OSX Proton disappears from the device completely. Such measures are necessary because the Trojan affects the system at an administrator level. What’s more, security experts note that users should invalidate the secret information that could have been compromised by OSX Proton while it was still running on the system.

The post about the hack on Eltima Software’s blog received the well-deserved critique regarding the company’s security measures, with some users saying that they will “never trust you again.” However, it should be pointed out that such attacks against reputable companies are bound to continue in the future. And it is up to everyone, both customers and developers, to keep their guard up.

References:

  1. India Ashok. OSX Proton: Mac malware that allows hackers to spy and steal data spreading via hacked Eltima apps. International Business Times.
  2. Lucian Constantin. Hackers Distribute Malware-Infected Media Player to Hundreds of Mac Users. Motherboard.
  3. ESET Research. OSX/Proton spreading again through supply-chain attack. We Live Security.
  4. Danny Palmer. Mac OSX Trojan malware spread via compromised software downloads. ZDNet.
  5. Alex Taylor. Elmedia Player and Folx malware threat Neutralized! Eltima.
  6. Ian Thomson. Malware hidden in vid app is so nasty, victims should wipe their Macs. The Register.