Possible Trojan after updating Mac-Version to 1.0.7

HandBrake for Mac support
Forum rules
An Activity Log is required for support requests. Please read How-to get an activity log? for details on how and why this should be provided.
justhereforaq
Posts: 2
Joined: Tue May 09, 2017 1:12 am

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by justhereforaq »

Any more details on the data that was sent back to the download server?

Would be great if that info can be exposed so folks know who/what exactly was stolen
User avatar
s55
HandBrake Team
Posts: 10350
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 »

@justhereforaq No data was sent back to our download server. The Trojan used other compromised servers that didn't belong to us for command and control.

While primarily PROTON seems to download data from your browser and/or password managers, it has the capability to download anything from the machine should the attacker choose.
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

https://www.cybereason.com/labs-proton- ... ally-does/

it will send password files from all browsers, your keychain, and 1password if u have that installed to their website.

Interesting to note there appears to be mention of little snitch in that decrypted file, but the article does not mention if it does not do anything when it is found out that little snitch is on the system.
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

so from what i gather the /etc/sudoers file should have been adjusted if you have the trojan. This was not the case for me. (I have little snitch installed). I also checked the modification date.

Also /var/log and /Library/Logs should be emptied, this was not the case for me (I have entries there since before May).
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

according to objective-see:

AFAIK, it does not

[10:01]
let me check though...

[10:01]
yah, pretty sure that's why it does check for LS, to make sure LS woudn't pop
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

Actually the original objective-see post was updated:

https://objective-see.com/blog/blog_0x1F.html

The first items from this list that the malware extracts and utilizes are the following paths:
/Library/Extensions/LittleSnitch.kext

/Library/Extensions/Radio Silence.kext

/Library/Extensions/HandsOff.kext
For each of these paths, it checks if they exist on disk, and if so, the malware immediately exits!
Deleted User 11865

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by Deleted User 11865 »

It's pretty nice for those who have it installed, they got lucky :)
vels
New User
Posts: 1
Joined: Sun May 14, 2017 1:37 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by vels »

I have version 1.0.2 installed on my mac running 10.10.5.

Ive run the following commands to get the checksum

COMMAND : shasum -a 1 /Applications/HandBrake.app/Contents/MacOS/HandBrake
RESPONSE : 95017f8cc3d634d71b45407830d22e65a9098cb8 /Applications/HandBrake.app/Contents/MacOS/HandBrake

COMMNAD : shasum -a 256 /Applications/HandBrake.app/Contents/MacOS/HandBrake
RESPONSE : 200c8ace634f792bffd3142f96c2187943c0243a441363220202552eb804dcec /Applications/HandBrake.app/Contents/MacOS/HandBrake

I couldnt see that either of those checksum matched the sums published on the handbrake github page here : https://github.com/HandBrake/HandBrake/wiki/Checksums

Could someone confirm if i have have an infected copy or not ? Thanks in advance !
User avatar
s55
HandBrake Team
Posts: 10350
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 »

The checksums are for the DMG image. Not the .app.

1.0.2 was not infected.
User avatar
BradleyS
Moderator
Posts: 1860
Joined: Thu Aug 09, 2007 12:16 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by BradleyS »

We've written up a postmortem about the attack: viewtopic.php?f=33&t=36399
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

seems like a big company (panic) lost all it's private source code thanks to this malware. I hope your team reached out to them.
Deleted User 11865

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by Deleted User 11865 »

wesley123 wrote: Fri May 19, 2017 7:48 am seems like a big company (panic) lost all it's private source code thanks to this malware. I hope your team reached out to them.
No, they didn't. As far as I can tell, what happened is the attacker now has access to their code, and is in a position to release unofficial builds of Panic's proprietary applications.
User avatar
JohnAStebbins
HandBrake Team
Posts: 5712
Joined: Sat Feb 09, 2008 7:21 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by JohnAStebbins »

wesley123 wrote: Fri May 19, 2017 7:48 am seems like a big company (panic) lost all it's private source code thanks to this malware. I hope your team reached out to them.
Yes, we did reach out to them. The full account of what happened to Panic is documented by the victim himself here Panic. I encourage you to read it. This could happen to anyone.
Post Reply