Eltima Apps Open Doors for OSX Proton

Another software supply-chain attack hits hundreds of Mac users

folx

OSX Proton the nefarious malware is back! This time it has infected two Elmedia apps – Elmedia Player and the Folx app the same way as it deployed in open source video transcoder app HandBrake – in May.

But this time it is more sophisticated as it used a legitimate developer ID with the name “Clifon Grimm”. It was used to wrap around the genuine app to bundle Proton with it.

As soon as the issue was reported, Apple revoked the certificate.

What is Elmedia Player?

elmedia player

A popular super versatile media player for Mac which supports almost all file formats from FLV, MP4, AVI, MOV, DAT, MKV, MP3, FLAC, M4V and the many more that you can think of. It gives a smooth HD playback with no interruptions or slowdown issues.

How Elmedia apps got compromised?

Hackers used a security breach in the tiny_mce Javascript library on the server to hack into company’s server and infect its two products –  the Eltima Player app and the Folx app. As the app was wrapped around with legitimate developer ID the malware easily escaped from the security.

See Also: How To Get Rid Of Malware On Mac

What is Proton RAT

proton rat

Proton is a powerful remote access Trojan with extensive stealing and spying abilities (RAT) targeting Mac. It provides backdoor entry to the attacker to get into compromised systems.

Written in Objective C, it runs without any dependencies and is promoted by the developer as a “professional FUD surveillance and control solution, with which you can do almost everything with (a) target’s Mac.”

With root-access privileges, Proton works as a keylogger, uploads and downloads files, takes screenshots, accesses webcam, SSH and VNC connectivity. It can even go to extremes of acquiring information such as credit card number.

How does Proton malware work?

It is used to collect information from infected hosts like OS system details, allowing the theft of browser passwords, browser cookies & history, data on cryptocurrency wallets, SSH private keys, macOS keychain data, VPN configs, GnuPG data, 1Password data  and many more.

In addition, it can also download and execute new malware on infected hosts.

When the user downloads any of the 2 infected apps OSX Proton attacks the Mac and provides attacker with an almost complete view of the compromised systems.

Who can be a victim?

If you have downloaded the software from Eltima website on October 19th before 3:15 pm EDT and have run it, your system may have been compromised.

Is my Mac compromised?

proton rat again

Worried about your Mac and want to know if it is infected or not? If you have recently downloaded Elmedia Player or Folx app, to verify, find any of the following folders/ directories on your machine:

/tmp/Updater.app/

/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist

/Library/.rand/

/Library/.rand/updateragent.app/

If any of these files are found, it means the trojanized version of Elmedia Player is installed and most likely Proton is running on the system.

However, the built in automatic update mechanism seems unaffected.

How to get rid of the infection?

Unfortunate victims of this attack will need to do a full OS reinstall and download new Elmedia Player, automatic updates. This is the only sure way to get rid of the malware. Victims should take appropriate measures as the affected sections mentioned above are compromised.

Conclusion

This is not the first time that a Mac software supplier’s website is compromised. Several other attempts have been noticed with the same nature. As OSX Proton is sold on the dark web it gives easy access to the hackers. We all trust Mac systems for its security feature but hackers don’t miss a chance to attack it. Therefore, don’t think you are safe the only way to stay safe is being cautious.

Leave a Reply

Your email address will not be published. Required fields are marked *