Proton, a new malware that targets Mac, is spread through Handbrake

Some Mac users may have fallen victim to a new Mac malware called Proton. Over the weekend, the malware infected unsuspecting users by hitching a ride on a trusted server that hosted downloads for HandBrake, a popular DVD ripper and media encoding program. The malware provides a backdoor for malicious activity, such as stealing stored files.

At the point of propagation, none of the 55 most widely-used antivirus services detected Proton. As of writing, the VirusTotal tracking website showed only 12 services that are capable of picking up on the new malware. Researcher Patrick Wardle has plenty of other Proton details listed on his blog.

According to Ars Technica, the folks maintaining the HandBrake download mirrors said that one of their two servers was compromised by the malware. There is a 50 percent chance for a Mac user who downloaded HandBrake between May 2 and May 6, 2017 to be infected with Proton.

 

To check for the malware on your Mac, you can do a simple checksum verification by going to the Mac terminal and type in the following:

shasum /path/to/HandBrake-1.0.7.dmg

“path/to” refers to your HandBrake installation location/filename.

Alternatively, you can type “shasum” within Terminal and drag the file to the Terminal window. If it returns:

0935a43ca90c6c419a49e4f8f1d75e68cd70b274

You’ve struck lottery. Remove the malicious malware as soon as possible. To disinfect the Mac, you can remove the following Launch Agent plist file:

fr.handbrake.activity_agent.plist

Also remove the following file from your ~/Library/RenderFiles/ location:

activity_agent.app

Then proceed to nuke your Mac reset and change all passwords.

According to Ars Technica, Proton is a general-purpose backdoor malware that’s on sale on the Dark Web for as much as US$63,000. It offers keylogging, remote access, stealing of files, and the ability to take and upload webcam or screenshot video and images.