Possible Trojan after updating Mac-Version to 1.0.7

HandBrake for Mac support
Forum rules
Activity Log is required for support requests. See Must Read: How To Get Questions Answered on These Forums for details
justhereforaq
Posts: 2
Joined: Tue May 09, 2017 1:12 am

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by justhereforaq » Sat May 13, 2017 4:13 am

Any more details on the data that was sent back to the download server?

Would be great if that info can be exposed so folks know who/what exactly was stolen

User avatar
s55
HandBrake Team
Posts: 8751
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 » Sat May 13, 2017 4:28 pm

@justhereforaq No data was sent back to our download server. The Trojan used other compromised servers that didn't belong to us for command and control.

While primarily PROTON seems to download data from your browser and/or password managers, it has the capability to download anything from the machine should the attacker choose.

wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 » Sun May 14, 2017 7:39 am

https://www.cybereason.com/labs-proton- ... ally-does/

it will send password files from all browsers, your keychain, and 1password if u have that installed to their website.

Interesting to note there appears to be mention of little snitch in that decrypted file, but the article does not mention if it does not do anything when it is found out that little snitch is on the system.

wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 » Sun May 14, 2017 7:56 am

so from what i gather the /etc/sudoers file should have been adjusted if you have the trojan. This was not the case for me. (I have little snitch installed). I also checked the modification date.

Also /var/log and /Library/Logs should be emptied, this was not the case for me (I have entries there since before May).

wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 » Sun May 14, 2017 8:10 am

according to objective-see:

AFAIK, it does not

[10:01]
let me check though...

[10:01]
yah, pretty sure that's why it does check for LS, to make sure LS woudn't pop

wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 » Sun May 14, 2017 8:13 am

Actually the original objective-see post was updated:

https://objective-see.com/blog/blog_0x1F.html

The first items from this list that the malware extracts and utilizes are the following paths:
/Library/Extensions/LittleSnitch.kext

/Library/Extensions/Radio Silence.kext

/Library/Extensions/HandsOff.kext
For each of these paths, it checks if they exist on disk, and if so, the malware immediately exits!

User avatar
Rodeo
HandBrake Team
Posts: 11602
Joined: Tue Mar 03, 2009 8:55 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by Rodeo » Sun May 14, 2017 9:17 am

It's pretty nice for those who have it installed, they got lucky :)

vels
New User
Posts: 1
Joined: Sun May 14, 2017 1:37 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by vels » Sun May 14, 2017 1:41 pm

I have version 1.0.2 installed on my mac running 10.10.5.

Ive run the following commands to get the checksum

COMMAND : shasum -a 1 /Applications/HandBrake.app/Contents/MacOS/HandBrake
RESPONSE : 95017f8cc3d634d71b45407830d22e65a9098cb8 /Applications/HandBrake.app/Contents/MacOS/HandBrake

COMMNAD : shasum -a 256 /Applications/HandBrake.app/Contents/MacOS/HandBrake
RESPONSE : 200c8ace634f792bffd3142f96c2187943c0243a441363220202552eb804dcec /Applications/HandBrake.app/Contents/MacOS/HandBrake

I couldnt see that either of those checksum matched the sums published on the handbrake github page here : https://github.com/HandBrake/HandBrake/wiki/Checksums

Could someone confirm if i have have an infected copy or not ? Thanks in advance !

User avatar
s55
HandBrake Team
Posts: 8751
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 » Sun May 14, 2017 2:14 pm

The checksums are for the DMG image. Not the .app.

1.0.2 was not infected.

User avatar
BradleyS
Moderator
Posts: 858
Joined: Thu Aug 09, 2007 12:16 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by BradleyS » Mon May 15, 2017 12:59 am

We've written up a postmortem about the attack: viewtopic.php?f=33&t=36399

wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 » Fri May 19, 2017 7:48 am

seems like a big company (panic) lost all it's private source code thanks to this malware. I hope your team reached out to them.

User avatar
Rodeo
HandBrake Team
Posts: 11602
Joined: Tue Mar 03, 2009 8:55 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by Rodeo » Fri May 19, 2017 8:01 am

wesley123 wrote:
Fri May 19, 2017 7:48 am
seems like a big company (panic) lost all it's private source code thanks to this malware. I hope your team reached out to them.
No, they didn't. As far as I can tell, what happened is the attacker now has access to their code, and is in a position to release unofficial builds of Panic's proprietary applications.

User avatar
JohnAStebbins
HandBrake Team
Posts: 4998
Joined: Sat Feb 09, 2008 7:21 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by JohnAStebbins » Fri May 19, 2017 2:44 pm

wesley123 wrote:
Fri May 19, 2017 7:48 am
seems like a big company (panic) lost all it's private source code thanks to this malware. I hope your team reached out to them.
Yes, we did reach out to them. The full account of what happened to Panic is documented by the victim himself here Panic. I encourage you to read it. This could happen to anyone.

Post Reply