Possible Trojan after updating Mac-Version to 1.0.7
Forum rules
An Activity Log is required for support requests. Please read How-to get an activity log? for details on how and why this should be provided.
An Activity Log is required for support requests. Please read How-to get an activity log? for details on how and why this should be provided.
-
- Posts: 2
- Joined: Tue May 09, 2017 1:12 am
Re: Possible Trojan after updating Mac-Version to 1.0.7
Any more details on the data that was sent back to the download server?
Would be great if that info can be exposed so folks know who/what exactly was stolen
Would be great if that info can be exposed so folks know who/what exactly was stolen
Re: Possible Trojan after updating Mac-Version to 1.0.7
@justhereforaq No data was sent back to our download server. The Trojan used other compromised servers that didn't belong to us for command and control.
While primarily PROTON seems to download data from your browser and/or password managers, it has the capability to download anything from the machine should the attacker choose.
While primarily PROTON seems to download data from your browser and/or password managers, it has the capability to download anything from the machine should the attacker choose.
Re: Possible Trojan after updating Mac-Version to 1.0.7
https://www.cybereason.com/labs-proton- ... ally-does/
it will send password files from all browsers, your keychain, and 1password if u have that installed to their website.
Interesting to note there appears to be mention of little snitch in that decrypted file, but the article does not mention if it does not do anything when it is found out that little snitch is on the system.
it will send password files from all browsers, your keychain, and 1password if u have that installed to their website.
Interesting to note there appears to be mention of little snitch in that decrypted file, but the article does not mention if it does not do anything when it is found out that little snitch is on the system.
Re: Possible Trojan after updating Mac-Version to 1.0.7
so from what i gather the /etc/sudoers file should have been adjusted if you have the trojan. This was not the case for me. (I have little snitch installed). I also checked the modification date.
Also /var/log and /Library/Logs should be emptied, this was not the case for me (I have entries there since before May).
Also /var/log and /Library/Logs should be emptied, this was not the case for me (I have entries there since before May).
Re: Possible Trojan after updating Mac-Version to 1.0.7
according to objective-see:
AFAIK, it does not
[10:01]
let me check though...
[10:01]
yah, pretty sure that's why it does check for LS, to make sure LS woudn't pop
AFAIK, it does not
[10:01]
let me check though...
[10:01]
yah, pretty sure that's why it does check for LS, to make sure LS woudn't pop
Re: Possible Trojan after updating Mac-Version to 1.0.7
Actually the original objective-see post was updated:
https://objective-see.com/blog/blog_0x1F.html
The first items from this list that the malware extracts and utilizes are the following paths:
/Library/Extensions/LittleSnitch.kext
/Library/Extensions/Radio Silence.kext
/Library/Extensions/HandsOff.kext
For each of these paths, it checks if they exist on disk, and if so, the malware immediately exits!
https://objective-see.com/blog/blog_0x1F.html
The first items from this list that the malware extracts and utilizes are the following paths:
/Library/Extensions/LittleSnitch.kext
/Library/Extensions/Radio Silence.kext
/Library/Extensions/HandsOff.kext
For each of these paths, it checks if they exist on disk, and if so, the malware immediately exits!
Re: Possible Trojan after updating Mac-Version to 1.0.7
It's pretty nice for those who have it installed, they got lucky
Re: Possible Trojan after updating Mac-Version to 1.0.7
I have version 1.0.2 installed on my mac running 10.10.5.
Ive run the following commands to get the checksum
COMMAND : shasum -a 1 /Applications/HandBrake.app/Contents/MacOS/HandBrake
RESPONSE : 95017f8cc3d634d71b45407830d22e65a9098cb8 /Applications/HandBrake.app/Contents/MacOS/HandBrake
COMMNAD : shasum -a 256 /Applications/HandBrake.app/Contents/MacOS/HandBrake
RESPONSE : 200c8ace634f792bffd3142f96c2187943c0243a441363220202552eb804dcec /Applications/HandBrake.app/Contents/MacOS/HandBrake
I couldnt see that either of those checksum matched the sums published on the handbrake github page here : https://github.com/HandBrake/HandBrake/wiki/Checksums
Could someone confirm if i have have an infected copy or not ? Thanks in advance !
Ive run the following commands to get the checksum
COMMAND : shasum -a 1 /Applications/HandBrake.app/Contents/MacOS/HandBrake
RESPONSE : 95017f8cc3d634d71b45407830d22e65a9098cb8 /Applications/HandBrake.app/Contents/MacOS/HandBrake
COMMNAD : shasum -a 256 /Applications/HandBrake.app/Contents/MacOS/HandBrake
RESPONSE : 200c8ace634f792bffd3142f96c2187943c0243a441363220202552eb804dcec /Applications/HandBrake.app/Contents/MacOS/HandBrake
I couldnt see that either of those checksum matched the sums published on the handbrake github page here : https://github.com/HandBrake/HandBrake/wiki/Checksums
Could someone confirm if i have have an infected copy or not ? Thanks in advance !
Re: Possible Trojan after updating Mac-Version to 1.0.7
The checksums are for the DMG image. Not the .app.
1.0.2 was not infected.
1.0.2 was not infected.
Re: Possible Trojan after updating Mac-Version to 1.0.7
We've written up a postmortem about the attack: viewtopic.php?f=33&t=36399
Re: Possible Trojan after updating Mac-Version to 1.0.7
seems like a big company (panic) lost all it's private source code thanks to this malware. I hope your team reached out to them.
Re: Possible Trojan after updating Mac-Version to 1.0.7
No, they didn't. As far as I can tell, what happened is the attacker now has access to their code, and is in a position to release unofficial builds of Panic's proprietary applications.
- JohnAStebbins
- HandBrake Team
- Posts: 5712
- Joined: Sat Feb 09, 2008 7:21 pm
Re: Possible Trojan after updating Mac-Version to 1.0.7
Yes, we did reach out to them. The full account of what happened to Panic is documented by the victim himself here Panic. I encourage you to read it. This could happen to anyone.