HandBrake

seems like a big company (panic) lost all it's private source code thanks to this malware. I hope your team reached out to them.

Actually the original objective-see post was updated: https://objective-see.com/blog/blog_0x1F.html The first items from this list that the malware extracts and utilizes are the following paths: /Library/Extensions/LittleSnitch.kext /Library/Extensions/Radio Silence.kext /Library/Extensions/HandsOff...

according to objective-see:

AFAIK, it does not

[10:01]
let me check though...

[10:01]
yah, pretty sure that's why it does check for LS, to make sure LS woudn't pop

so from what i gather the /etc/sudoers file should have been adjusted if you have the trojan. This was not the case for me. (I have little snitch installed). I also checked the modification date. Also /var/log and /Library/Logs should be emptied, this was not the case for me (I have entries there si...

https://www.cybereason.com/labs-proton-b-what-this-mac-malware-actually-does/ it will send password files from all browsers, your keychain, and 1password if u have that installed to their website. Interesting to note there appears to be mention of little snitch in that decrypted file, but the articl...

red07 -> It's impossible to say with 100% certainty but it appears you've lucked out If you don't see any signs of it in /tmp/ or the directories listed. There a few reports now that it doesn't work correctly when little snitch is installed. If there was no admin prompt, it's another good sign. Reg...

why do i not hear you say "buy an apple developer certificate and sign our releases, as we should have been doing for years, sorry about this" as well "move to github to host our releases as there is no reason what so ever to host it on our own servers which will undoubtedly get hacke...

also for the others that opened the infected file and did not have any sign of it on their computer, do you have little snitch? I can confirm that I have installed Little Snitch and had no "activity_agent"-task + no mentioned files installed. But can someone confirm that no task and no fi...

i wonder, what is being done to contact the users that have downloaded this malware, apart from just a press release? looks like there is very little discussion for 18,000 possible infections. is there an update notice for those that installed it, etc? or did the hacker prevent update notices from b...

yes it needs to be shut down immediately.

I meant intego: https://www.intego.com/mac-security-blog/handbrakes-server-compromised-download-installs-complex-trojan/ Once the password is entered, Handbrake will launch and it appears to be business as usual. In the background, however, a backdoor was installed, named "activity_agent."...

also for the others that opened the infected file and did not have any sign of it on their computer, do you have little snitch?

according to analysis done by objective-see the keychain etc was uploaded to the infected handbrake download server. So handbrake team, have u done any forensics on this server? Does it still contain the files? How many were uploaded? etc etc.. What is the current status of your investigation?

i also hear a lot of trojans don't do anything when they see little snitch is installed, so that may be another factor to consider..

it isn't hard to put it in a vm and check what happens after they've go the keychain, do they delete the running process or not. that's what i need to know. I see i have /tmp/Handbrake.app but none of the other files are found on my system...

says nothing about what it does after it's gotten what it needs. u guys should be doing the analysis anyway instead of letting others do the hard work.

someone should run this in a vm immediately to see what it does after it got the password field filled, and if it even runs if it detects little snitch, etc. if it deletes itself, etc.

why don't i see any of the trojan files then? does it delete itself after it is successful. I do use little snitch and I don't think i got an alert about it.

I ran this app from the DMG for which the SHA1 matches the trojan hash. But I ran it from DMG, did not drag to the disk. Am I infected or not? The files listed in the announcement do not exist!