From 2nd to 6th of May, the official Mac client of HandBrake was distributed with the "rat"

If you downloaded the popular HandBrake transcoder program for OS X from the official website from May 2 to May 6, 2017, with a probability of 50%, Proton RAT was a program for remotely controlling a computer. After hacking into the HandBrake server, unidentified individuals changed the official distribution, putting a “rat” in there, as the RAT program is sometimes called in jargon.

The HandBrake-1.0.7.dmg file on the download.handbrake.fr mirror has been replaced with another file, the hash of which does not match the checksums listed on https://github.com/HandBrake/HandBrake/wiki/Checksums .

HandBrake is a free and free software for transcoding digital video files, originally developed in 2003, to make it easier to rip DVDs, i.e. rip movies from a DVD to the HDD. Since then, the program has undergone many changes and is now used mainly for transcoding of ready-made files. For example, after downloading from the torrent version in maximum quality, you need to make a copy for the iPhone or Android device with an acceptable resolution and size. During transcoding HandBrake allows you to set the desired bitrate, the maximum file size or change the bitrate for "constant quality". The program supports many specific functions, including deinterlacing, image scaling, cropping, removing decomposition artifacts, and other post-production effects. It is possible to process files in batch mode, making lists of work through the GUI or text interface in the console. HandBrake supports many input and output formats for both video and audio.
')
There are versions of HandBrake for Linux, macOS and Windows, but in this case, hackers have changed only the version for macOS.

The message about the hacking of the off-server download mirror was published on the HandBrake forum on the morning of May 6, 2017. It states that all downloaded official MacBrake client for Mac from May 2, 14:30 UTC to May 6, 11:00 UTC, should check the SHA1 or SHA256 hashes before running the file.

If you did not have time to check the file and have already launched the program, then you need to examine the computer for the presence of a Trojan. It is present in the system with a 50/50 probability, if you downloaded the program in the specified period. The developers emphasize that the firmware update 1.0 or higher version could not install the Trojan. Since version 1.0, it checks the digital signature and does not install an update if the signature does not match. But earlier versions of the update program do not check the signature, so that they could install a file with built-in RAT.

You can detect a trojan on a computer by the presence of the Activity_agent process in the OSX Activity Monitor application.

If you have saved the downloaded HandBrake.dmg file, you can check the hashes of the infected files:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

If you have such a hash, then the file is infected.

Reportedly, a new version of RAT called OSX.PROTON was supplied with the transcoder. This program was first noticed on sale in the Russian underground forums in February 2017 .



To remove the program, open the terminal and execute the following commands:

• launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
• rm -rf ~/Library/RenderFiles/activity_agent.app
• If the ~/Library/VideoFrameworks/ directory contains proton.zip, then delete the folder

Then delete all the installations of HandBrake.app, which are available.

Next steps
Since this RAT (probably of Russian design) completely controls the victim’s computer, the computer and all information on it should be considered compromised. Therefore, you need to replace all the passwords that were stored in the operating system and browser, as well as those that you manually typed recently.

Now in the public domain there are convenient tools with which you can check any file at once in all antiviruses (like VirusTotal). Malicious users usually check malware files after obfuscation - how well the files are obfuscated. If antiviruses do not define a program, then it can be distributed. That is why the built-in antivirus macOS XProtect did not detect the Trojan. Now Apple is updating the signature database. Perhaps, yesterday or today, the update should already reach the users.

Keep in mind that with services like VirusTotal, update signatures will always occur after the distribution of a new malware and its installation on users' computers. No one will spread the malware if it is detected by antivirus. Consequently, the sense of the work of the antivirus on the computer is largely lost, especially since the antiviruses themselves are an additional breach in the security of the system .

At the moment, mirror download.handbrake.fr is temporarily closed for investigation. At the same time, the main official mirror continues to work, so you can download the official version of the transcoder program. True, the download speed has decreased due to increased server load. But the program HandBrake now, most likely, without a Trojan.

Deja vu
Interestingly, the main developer of the program HandBrake is also the author of the torrent client Transmission. Do not believe it, but in March 2016, unknown hackers broke into the official Transmission server and replaced the original file with the malware version KeRanger . A couple of months later, the same mirror was hacked again, this time by introducing the OSX / Keydnap malware into the official client .