At the beginning of May 2017 a popular open-source video ripping and conversion software called Handbrake was attacked by cyber criminals. To be more precise, one of the download mirror servers, download.handbrake.fr was infiltrated by hackers who uploaded an infected version of the legitimate software containing the dangerous Proton Trojan malware infection. This attack may affect those Mac users, who downloaded "HandBrake-1.0.7.dmg" between May 2 and May 6, 2017. Proton Trojan is a remote access tool (RAT) that is for sale on the dark web. Having this vicious program on your computer can result in devastating consequences. Please read our full report on this attack to be well-informed about what might have just hit you.
Handbrake developers warned users on their website and forums right after the stealthy backdoor attack was discovered. Fortunately, the main download server was unaffected; therefore, the infected software version was only available for download from one of the mirror servers. This means that if you used the primary server between May 2 and May 6, you may be in the luck. The cyber criminals behind this vicious attack targeted Mac OS X users, who were asked by the Handbrake developers to scan their system for malware in their warning message. Those who updated to this new version from 1.0 or later should be safe because the official built-in updater of this software verifies the program’s digital signature. In other words, an infected version would not pass this verification process and thus you could not download it. However, those who had even older versions and tried to update during the aforementioned period could be in danger.
When you install the hacked version of Handbrake, it asks for the administration password to gain admin privileges. Once you enter it, this password is sent to the criminals' server right away along with other sensitive information that can be used to take full control of your Mac and more. It is important for you to understand the gravity of this malicious attack since Proton Trojan contains various data tracking tools, including keylogging, remote login access, webcam control, desktop screenshot and recording ability, and it can also execute shell commands and steal files from your hard drive. In other words, this beast is capable of spying on you, stealing your online banking details, i.e., it can easily steal money from your accounts. Since this malware infection can be used widely by cyber crooks to do virtually anything with the victims data and their Mac, it does have a high price on the dark web. Our research shows that this backdoor Trojan is sold for as much as 63,000 US dollars. So you can imagine how much money those hackers can make who are willing to buy it for this amount.
Financial loss is one thing and you may even think that this is the worst that can happen to you when you are hit with Proton backdoor Trojan. The truth is that it can get worse when your personally identifiable information is stolen and is misused by crooks to commit all kinds of online frauds in your name. Identity theft is still one of the biggest crimes cyber criminals can do against you and your privacy. Therefore, you need to be extra careful when it comes to protecting your virtual world. Do you keep away from suspicious websites associated with online gambling, gaming, file sharing? Do you click on random third-party ads? Becoming a safer web surfer can help keep your system clean of similar threats. Nevertheless, as you can see, sometimes it is possible to infect your machine even from official sources. Thus, we recommend that you defend your system by installing a professional anti-malware program of your choice.
If you wonder now how to decide whether your version is a carrier of Proton Trojan or not and you do not have a security tool installed yet, well, there are some signs. The developers of Handbrake say that there is a 50% chance that you have the malicious version installed if you downloaded this new version between the dates mentioned before. This is not great help though for you to know whether your Mac is infected or not. Actually, you need to check your running processes because if you find “activity_agent” among them, it is quite certain that Proton Trojan has infiltrated your Mac and is still operating. You can also check if you can find an archive named "proton.zip" in the "~/Library/VideoFrameworks" directory. This .zip contains all stolen data, so if it is there, there is no doubt that this vicious infection has struck you.
As a matter of fact, this was not the first time that Mac users were hit by such a nightmare. Last year, for example, the popular Transmission BitTorrent client was discovered to contain malware. Although IT security specialists work hard to find all security holes in their software, as you can see, sophisticated cyber crooks can always come up with a new idea to beat them somehow. Therefore, the safest way for you to protect your computer is to install up-to-date security software. If you are unlucky enough to have been attacked by Proton Trojan, we also recommend that you change all your passwords because chances are this malware program has already stolen those.