Mac Users Infected With Proton Malware through Infected Media Player Download
On Friday the 20th of October, security firm researchers from ESET, reported that the Elmedia Player software has been compromised with a malware. A further report suggested the player had been compromised for some time on the 19th of October.
Now it seems the perceived idea that Apple devices are some kind of virus proof, standing firm against malware and other cyber-attacks is nothing but just a fat juicy lie.
Cybercriminals have managed to defeat the so-called impenetrable Apple by hacking and distributing Proton malware and a Remote Access Trojan, after the servers of Eltima were breached.
All owners of Mac devices who downloaded the Elmedia player of Folx recently from Eltima software might have installed malware on their devices without the knowledge of doing so, according to IT researchers at ESET. This was after hackers infected the Elmedia Player download file which was a free version on its developer’s site Eltima.
âIn the current case of Eltima trojanized software, the attacker built a signed wrapper around the legitimate Elmedia Player and Proton,â researchers said in a post. âIn fact, we observed what seems to be real-time repackaging and signing of the wrappers, all with the same valid Apple Developer ID.â
“Users who downloaded and executed the software on October 19 before 3:15 PM EDT, are likely compromised,” the researchers added.
The Proton Malware released a macOS information-stealing Trojan known as OSX/Proton and then downloaded by Mac users without setting off any warning. This malware happens to be the same as an earlier malware which was distributed earlier this year through another Trojan-infected version of a popular macOS application called HandBrake.
An attack orchestrated in the same way and manner also took place just last month with hackers infecting over 2 million users with a backdoor who downloaded 5.33 Version of CCleaner, a subsidiary of anti-virus giant Avast and security software for Windows.
Proton malware can steal a bunch of information including history, bookmarks, and login data from browsers, and cookies from infected computers. It can also take control of cryptocurrency wallets, SSH authentication keys, macOS keychain data, Tunnelblick VPN configuration data PGP encryption keys and data stored in 1Password, as well as a password management application.
It first came into discovery this year on the dark web and was just selling for 40 BTC (USD 41,891).
Eltima admitted that indeed there has been a hack and stated in a blog post that:
âOn the 19th of October 2017 we were informed by a malware research company ESET that our servers have been hacked and our apps namely Folx and Elmedia Player DMG files are distributed with a malware.â
They went ahead to say that: âOnly Elmedia Player and Folx version downloaded from our official Eltima website were infected by this malware. However, the built-in automatic update mechanism is unaffected based on the data available to our cyber security experts.â
The IT researchers further recommended that anyone who had downloaded the Elmedia Player software recently to confirm if indeed their system experienced a breach. If any of the following file or directory was present, then there had been a hack.
/tmp/Updater.app/,/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist,/Library/.rand/ and /Library/.rand/updateragent.app/.
According to the IT researchers, the version downloaded from the website happened to be the only one which contained the Trojan infected application and that the built-in automatic update was unaffected.
Eltima has however stopped and removed the Trojan virus from their site after they were notified of the situation. They then announced on Friday that, the two apps are now free from any kind of malware infections and safe to install.
âEltima is just one of a growing list of recent website compromises and attacks leveraging third-party website code (excluding advertising code) are more common than people think and tends to peak during the latter half of the calendar year,â stated Chris Olson, Media Trust Chief Executive Officer.
âThe ease of purchasing exploit kits on the dark web paired with general website security deficiency creates the perfect storm for successful web-based malware attacks,â Olson said. âFrankly, these headline-grabbing scenarios will continue until enterprises understand that the highly-dynamic digital environment requires a continuous security approach,” he added.