Newcomer verse 1.0 (at the end of last year), the HandBrake this weekend became another application to suffer from hacker attack. According to its developers, the download servers for the free video converter have been hacked and its installation file has been replaced by a compromised version with a malware.
Proton was used to infect the application, a Remote Access Trojan (known by the acronym RAT) already mentioned earlier here in MacMagazine with a digital signature that would have gone unnoticed by users who installed it between May 2nd and 6th. O malware collects encrypted passwords in the native Access to Keys app (Keychain Access) of the infected computer, in addition to Cookies, session data and other private information stored in Safari, Opera and Chrome.
According to an analysis conducted by Intego, the data was pointed to HandBrake's own hosting service, leading to the conclusion that, in addition to being hacked for the infection of download files, it was also used to control infected Macs and receive files. At the time of this publication, it is no longer operating in this manner.
How do I know if I am infected?
Just open the native Activity Monitor app (Activity Monitorlocated in / Applications / Utilities /) on your Mac and look for the Activity_agent process. If he does not appear in the search, you are free from this threat.
How do I know if I downloaded a malicious version of HandBrake?
Users who downloaded the app between May 2 and 6 may have received the changed file.
I got infected. How do I withdraw the malware my Mac?
Open a Terminal window (also located in / Applications / Utilities /) and execute the following commands (one per line):
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist rm -rf ~/Library/RenderFiles/activity_agent.app
Then, open a Finder window, select the option "Go to Folder" (in the "Go" menu) and type the path ~ / Library / VideoFrameworks /. If the proton.zip file is available, just delete it next to the version of HandBrake installed on the Mac.
If you have saved website passwords in your browsers and Safari, it is also recommended to change them.