Supply chain attack hits Mac users of HandBrake video converter app

Mac users who downloaded the app earlier this month may have their computers infected with the Proton Trojan program

Hackers compromised a download server for HandBrake, a popular open-source program for converting video files, and used it to distribute a macOS version of the application that contained malware.

The HandBrake development team posted a security warning on the project's website and support forum on Saturday, alerting Mac users who downloaded and installed the program from May 2 to May 6 to check their computers for malware.

The attackers compromised only a download mirror hosted under download.handbrake.fr, with the primary download server remaining unaffected. Because of this, users who downloaded HandBrake-1.0.7.dmg during the period in question have a 50/50 chance of having received a malicious version of the file, the HandBreak team said.

Users of HandBrake 1.0 and later who upgraded to version 1.0.7 through the program's built-in update mechanism shouldn't be affected, because the updater verifies the program's digital signature and wouldn't have accepted the malicious file.

Users of version 0.10.5 and earlier who used the built-in updater and all users who downloaded the program manually during those five days might be affected, so they should check their systems.

According to an analysis by Patrick Wardle, director of security research at Synack, the trojanized version of HandBrake distributed from the compromised mirror contained a new version of the Proton malware for macOS.

Proton is a remote access tool (RAT) sold on cybercrime forums since earlier this year. It has all of the features typically found in such programs: keylogging, remote access via SSH or VNC, and the ability to execute shell commands as root, grab webcam and desktop screen shots, steal files and more.

In order to obtain admin privileges, the malicious HandBrake installer asked victims for their password under the guise of installing additional video codecs, Wardle said.

The Trojan software installs itself as a program called activity_agent.app and sets up a Launch Agent called fr.handbrake.activity_agent.plist to start it every time the user logs in.

The HandBrake forum announcement contains manual removal instructions and advises users who find the malware on their Macs to change all of the passwords stored in their macOS keychains or browsers.

This is just the latest in a growing string of attacks over the past few years in which  attackers compromised software update or distribution mechanisms.

Last week Microsoft warned of a software supply chain attack in which a group of hackers compromised the software update infrastructure of an unnamed editing tool and used it to distribute malware to select victims: mainly organizations from the financial and payment processing industries.

"This generic technique of targeting self-updating software and their infrastructure has played a part in a series of high-profile attacks, such as unrelated incidents targeting Altair Technologies’ EvLog update process, the auto-update mechanism for South Korean software SimDisk, and the update server used by ESTsoft's ALZip compression application," the Microsoft researchers said in a blog post.

This is not the first time Mac users have been targeted through such attacks either. The macOS version of the popular Transmission BitTorrent client distributed from the project's official website was found to contain malware on two separate occasions last year.

One way to compromise software distribution servers is to steal login credentials from developers or other users who maintain the server infrastructure for software projects. Therefore, it came as no surprise when earlier this year security researchers detected a sophisticated spear-phishing attack targeting open source developers present on GitHub. The targeted emails distributed an information stealing program called Dimnie.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?