Handbrake Trojan Alert

nasty trojan on

developer's own server

like the fabled horse

HandBrake.png

https://forum.handbrake.fr/viewtopic.php?f=33&t=36364

SECURITY WARNING

Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it.

Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you've downloaded HandBrake during this period. 

Detection

If you see a process called "activity_agent" in the OSX Activity Monitor application. You are infected.

For reference, if you've installed a HandBrake.dmg with the following checksums, you will also be infected:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

The Trojan in question is a new variant of OSX.PROTON

Removal

Open up the "Terminal" application and run the following commands:

 

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Then Remove any "HandBrake.app" installs you may have.

Further Actions Required

Based on the information we have, you must also change all the passwords that may reside in your OSX KeyChain or any browser password stores.

Apple

We have been informed that the process to update the definitions for OSX's XProtect feature started this morning, so this should start rolling out to machines automatically soon if not already.


Summary

 

  • HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/HandBrake/wiki/Checksums
  • The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.
  • The Primary Download Mirror and website were unaffected.
  • Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don't pass.
  • Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases


When relevant information becomes available we will update this post.


Notices

  • The Download Mirror Server is going to be completely rebuilt from scratch so downloads may be a bit slower than usual while the primary picks up the load. During this time, old versions of HandBrake will not be available.

<updated> 2017.0513 with additional technical details.

https://objective-see.com/blog/blog_0x1F.html

 

...Patrick from Objective-See.com wrote:Well this makes analysis rather easy  We're not going to walk thru all of these, but let's cover a few of the more interesting items in this this list. 

The first items from this list that the malware extracts and utilizes are the following paths:
/Library/Extensions/LittleSnitch.kext

/Library/Extensions/Radio Silence.kext

/Library/Extensions/HandsOff.kext
For each of these paths, it checks if they exist on disk, and if so, the malware immediately exits!

These of course are macOS security products (firewalls) which would alert the user to the presence of the malware when it attempts to call out to connect to its command and control server(s). Seems like the malware would simply exit, rather than risking detection. 

Ah! Could this be why various users, who had ran the infected Handbrake application were not infected? Why yes! Turns out all had been running Little Snitch. Lucky for them 

 

https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/

HandBrake hacked to drop new variant of Proton malware

Posted: May 8, 2017 by Thomas Reed

Last year, the Transmission torrent app was hacked not just once, but twice, to install the KeRanger ransomware and, later, the Keydnap backdoor. Now, the same thing has happened to the popular DVD-ripping HandBrake app, which is installing a new variant of the Proton malware.

The real HandBrake 1.0.7 app was replaced with a malicious copy on May 2. This issue was discovered and the malicious app was removed on May 6, also a security warning was posted on the HandBrake website. Both the HandBrake website and the copy of HandBrake available via Homebrew (a command-line software installation system) were affected.

Am I infected?

The security warning provides SHA1 and SHA256 hashes for the malicious HandBrake-1.0.7.dmg file, recommending that you check this against the hash of your download before installing. To do this, enter the following command in the Terminal app (found in the Utilities folder in the Applications folder):

shasum /path/to/HandBrake-1.0.7.dmg

(Of course, be sure to insert the proper path to the .dmg file. Note that you can drag a file onto the Terminal window to insert its path into the command automatically.)

Compare the value returned by this command to the SHA1 hash. If it’s a match, throw that .dmg file in the trash, delete your copy of HandBrake, and scan your Mac with Malwarebytes for Mac. We detect this malware as OSX.Proton.

At this point, you can – in theory – safely download a new copy of HandBrake. I say “in theory” because we don’t know yet how the HandBrake site was hacked and what mitigations have been put in place to prevent future hacks.

If you download a new copy of HandBrake, you can check it against the checksums listed on the HandBrake site to verify that it is valid. However, there’s a big problem with this: If the website has been hacked to replace the legit copy of the software with a bad one, it’s reasonable to assume that the checksums there could be replaced with bad ones as well.

Unfortunately, HandBrake is not code signed, so there’s no real way to verify with 100% certainty that the copy you have has not been tampered with.

Malicious behavior

The malicious copy of HandBrake, when run, will immediately ask for an admin password.

 

This is not normal for HandBrake, which may tip off a veteran user of the software. However, for a new user, or someone installing an update who isn’t yet familiar with the behavior of that update, this may not raise any red flags.

If you are suspicious and click the Cancel button, it seems that the malware is not installed. Further, in my testing, there were no additional prompts in opening the app after the first. Still, I wouldn’t trust that copy of the app at all, even if it doesn’t appear to be dropping the payload under those conditions.

Unfortunately, checking for updates in the malicious copy does not result in any kind of a warning. When the same thing happened to the Transmission app, the Transmission Project quickly put out an update that would replace the infected app with a clean one, as well as cleaning up any traces of the infection on the system. Hopefully, the same will happen for HandBrake, but at the time of this writing that has not been done yet.

If the password is given, the malicious app will install the malware on the system in the following locations:

~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
~/Library/RenderFiles/activity_agent.app

The launch agent runs the activity_agent app at login and keeps it running in the event something terminates it.

However, it seems that this malware may be a bit buggy. On the first install, it also dropped a non-functional launch agent named fr.handbrake.activity_agent.plist-ewith some of the contents missing. In another install, the launch agent contained the following non-functional plist data:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>P_MBN</string>
<key>ProgramArguments</key>
<array>
<string>P_UPTH</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

It appears that the malware installs this .plist template, then uses the Unix sedcommand to search for and replace the P_MBN and P_UPTH values but fails to do some in some cases. Thus, the malware does not always successfully install.

The fact that the malware requests an admin password yet installs all components in user space where no admin password is needed was initially puzzling, but that password request is actually not a system-generated prompt. It’s a phishing dialog displayed by the malware to obtain your password, which will be sent in clear text to api[DOT]handbrake[DOT]biz, the command & control (C&C) server for this malware.

The malware will create some or all of the following files:

~/Library/VideoFrameworks/CR_def.zip
~/Library/VideoFrameworks/FF.zip
~/Library/VideoFrameworks/GNU_PW.zip
~/Library/VideoFrameworks/KC.zip
~/Library/VideoFrameworks/OP.zip
~/Library/VideoFrameworks/proton.zip
~/Library/VideoFrameworks/SF.zip

These files contain a number of bits of data to be exfiltrated from the machine, such as browser data (including stored form auto-fill data), keychains, and even 1Password vaults. Since the user’s password was phished previously, that can be used to unlock the keychains, and either it or other passwords found in the keychain may be able to unlock other encrypted files. (Pro tip: never store the master password for your password manager in the keychain and make sure it’s a unique, strong password!)

The proton.zip file is a master archive containing everything in the VideoFrameworks folder. It, too, will be sent to the C&C server, handbrake[DOT]biz, a domain that was just registered on April 29 of this year, presumably in preparation for this attack.

Interestingly, the only two Mac apps ever to be hacked in this manner—Transmission, and now HandBrake—were both originally developed by Eric Petit. Though I don’t know if it means anything at all, it’s certainly a fair question to wonder who has access to both of these projects that could be abused in this manner.

What is Proton?

Many people may never have heard of Proton before. Earlier this year, a signature for Proton was silently added to Apple’s XProtect signatures, but nobody ever saw a copy. Later, Sixgill wrote up findings that revealed Proton was malware up for sale on the dark web.

Proton is a professionally-developed backdoor, which at the time was selling for around 40 BTC (bitcoins), an amount that is currently worth more than $63,000. At that price, unlimited installations were allowed. A single-use license cost around 2 BTC, or more than $3,000.

As an aside, I find it rather ironic that this variant of Proton appears to be a bit buggy, with some installs failing. Hopefully, Proton, Inc’s customers will have similar questions. A little discord among criminals wouldn’t be a bad thing.

Impact

This is a general-purpose backdoor with all the usual backdoor functionality. In addition, it appears this malware is exfiltrating the entire keychain, with all passwords. Thus, if you’re infected, the first priority should be changing all your online passwords. (After ensuring that your computer is free of infection, of course! Never change passwords on a device that may still be infected.)

You’ll also want to take any necessary precautions if you have sensitive data that may have been exfiltrated and business users should contact their IT departments if a company Mac is found to be infected.

Seems like this is increasingly becoming something Mac users have to worry about.

2017.0513 additional technical details </updated>