Possible Trojan after updating Mac-Version to 1.0.7

[dave]

Are there any mac-users here that got a dialog box like this recently?
"Network Configuration needs to update DHCP setting. Type your password to allow this"

If so, you have got a trojan that steals your passwords.

Further information here:

https://apple.stackexchange.com/questio ... 821#282821

[Anonymous]

SECURITY WARNING: Mirror Download Server Compromised

HandBrake Security: A Postmortem Analysis

[rpi]

Does anyone have any more information about the trojan?

I have data in ~/Library/VideoFrameworks but it seems to be primarily browser data from Firefox, Chrome, Opera and Safari.

I can't see any keychain related data, or screenshots.

I will consider my keychain data compromised regardless - but does this mean that data wasn't taken? I haven't entered my password into the DHCP prompt that comes up - does anyone know if this means the data that is in the folder hasn't been uploaded anywhere?

Does anyone know the implications of a compromised keychain file, and how insecure/secure it is?

Thanks

[s55]

As reported, it seems if you see a processed called activity_agent, then your infected. (I suspect it'll just send the keychain rather than copy it to the directory but don't hold me to that. We don't have capabilities to analyse this ourselves. )

The safest option for people who are affected to to assume the worst and reset / change passwords for everything affected.

[doctorwho]

I downloaded it during the affected time period onto a test computer, which happened to be logged into my Apple ID. I dragged the app from the DMG into the Applications folder. However, I never ran the app and the computer was wiped before I heard about this on reddit. Since the computer was wiped, I have no idea if I downloaded the trojan version or not, however, if it was never run, so should I be ok?

[Ritsuka]

If you never run it you are ok.

[folp]

hi there -

so i downloaded the infected copy, my checksum matches. but i have none of the listed folders present and activity agent is not running, should i be concerned? or rather, how concerned should i be? i've deleted all files related to handbrake.

thanks!
mike

[wesley123]

I ran this app from the DMG for which the SHA1 matches the trojan hash. But I ran it from DMG, did not drag to the disk. Am I infected or not? The files listed in the announcement do not exist!

[s55]

@folp If you opened the DMG but didn't run the app you should be OK but if you opened HandBrake.app you'll be infected.

@wesley123 -> I don't think it matters if it's within the DMG. Once you've opened HandBrake.app and you've given it an admin password, your machined is compromised.

If your in any doubt, open "Process Monitor" and look for "activity_agent" and follow the instructions here for removal.

viewtopic.php?f=33&p=170931#p170931

[wesley123]

why don't i see any of the trojan files then? does it delete itself after it is successful. I do use little snitch and I don't think i got an alert about it.

[wesley123]

someone should run this in a vm immediately to see what it does after it got the password field filled, and if it even runs if it detects little snitch, etc. if it deletes itself, etc.

[s55]

https://objective-see.com/blog/blog_0x1D.html Someone already has done some analysis.

[wesley123]

says nothing about what it does after it's gotten what it needs. u guys should be doing the analysis anyway instead of letting others do the hard work.

[s55]

We are not malware or security experts. Security experts are looking at this and dissecting it. Messing with these things without the proper tools and experience (regardless if whether your using a VM or not), is inherently dangerous and failing to handle it properly puts others at risk.

After deploying the RAT onto a victim's Mac, an attacker could allegedly gain complete remote access, including viewing the user's screen in real time, recording keystrokes, uploading the victim's files, downloading additional malware, accessing the webcam, issuing shell commands, and other nefarious things. More information can be found in this PDF report published by Sixgill (their accompanying blog post was offline at the time of this article's publication).

So, in short, it's no different to them having physical access to the machine. They've got full control.

[wesley123]

it isn't hard to put it in a vm and check what happens after they've go the keychain, do they delete the running process or not. that's what i need to know. I see i have /tmp/Handbrake.app but none of the other files are found on my system...

[s55]

The last reports we've had is the activity_agent is persistent on the system and doesn't delete itself, but I should point out that there is a person on other other end of this Trojan so it's conceivable they could re-program or hide it remotely on demand.

There is also the possibility that the fact you ran it from the DMG in some way stopped it from executing it's payload.

VM's are neither Safe or reliable for telling what a trojan does. Many detect the presence of and don't behave the same to avoid detection. Even isolating the thing from the internet to avoid infecting others may have an impact. There is also the risk that the Trojan can break out of the VM container that it's in. As I said, we are not malware experts so messing with this thing really isn't smart.

[wesley123]

i also hear a lot of trojans don't do anything when they see little snitch is installed, so that may be another factor to consider..

[s55]

I've reached out to some contacts to see if I can get a better answer for you.

If you didn't get an Admin password prompt, then you may well be right that it detected Little Snitch.

[vennage]

I have a file, that should be compromited, as sha met your compromited key. But neither one of two mentioned files and the process were there. Are you sure, that all files met the compromited sha key were infected?

[Superhai]

Are you sure, that all files met the compromited sha key were infected?

A sha checksum is pretty unique, so it must contain the same files. But the trojan may be installed/run conditionally.

[Michael77]

Is it possible to be infected after auto-update? Or auto-update was not affected?

[Ritsuka]

Only if you had version 0.10.x and lower. Please note version 0.10.x and lower auto-update does not work on macOS Sierra. HandBrake 1.0 and later checks the downloaded file signature before replacing the existing app.

See the forum announcement for more info.

[Deleted User 11865]

viewtopic.php?f=33&t=36364

…if you don't care to scroll up

[Superfly]

I was unfortunate to fall victim to this. I have removed as directed, but am wondering a few things.

My computer was not restart and I was the only user logged in from install until I learned of the virus. I did enter my admin password when prompted for "additional codecs".

I know I need to change my login for this computer, and passwords stored in my keychain.

Do any of the other users who were not logged into this computer need to change all their passwords as well?

Anything else I should know?

[UberHiker]

hi there -

so i downloaded the infected copy, my checksum matches. but i have none of the listed folders present and activity agent is not running, should i be concerned? or rather, how concerned should i be? i've deleted all files related to handbrake.

thanks!
mike

Same here. I'm was on OS X 10.8.5 and despite getting the infected dmg, and giving it my password I've seen none of the other symptoms. I was about ready to wipe the computer anyway so I've since reformatted the HD and reinstalled the OS and changed the passwords that were in my keychain. But I'd still like to know if they actually got anything from me.