![]() ![]() This is not a method we recommend to most people, due to the possibility of human error resulting in an erroneous belief that the system is clean. If the Finder complains that "The folder can't be found," that means you're probably not infected-assuming, of course, that you didn't make a mistake entering the path. You can also check by choosing Go to Folder from the Go menu in the Finder, and entering the following path: The easiest method for identifying an infection would be to install Malwarebytes for Mac, which will detect and remove Proton.C for free. However, if you have downloaded any software from Eltima Software recently, you should check to see if your system is infected. Unfortunately, we don't know yet how long Eltima Software's systems have been serving up Trojanized software. By adding this line to the end of the sudoers file, this allows the malware to authenticate once, and root privileges are allowed across all sessions. Normally, if a user is granted root privileges in the terminal, for example, those privileges will only apply within that single terminal window (session) and nowhere else. In addition, as part of the infection process, Proton.C will add a line to the sudoers file, which manages access to root privileges: It also grabs other data that could be used to connect to sensitive online resources accessible to the user. It will exfiltrate several different cryptocurrency wallets, giving the hackers the ability to steal digital money, such as Bitcoin, from the user. However, Proton.C will also collect a number of other pieces of data. The maliciously-modified Eltima apps are all signed using an Apple developer certificate issued to a "Clifton Grimm." That certificate has been revoked at this point, rendering those apps inoperable.Īs with the variant that was dropped by the hacked copy of Handbrake (Proton.B), this variant (Proton.C) will also attempt to exfiltrate the keychains and 1Password vaults containing user passwords and other sensitive information, as well as browser information, including login credentials for those who use browser functionality to remember their passwords. Since Eltima Software has cleaned up their systems at this point, it is not known how many of their other apps may also have been affected. Malware researcher also noticed that Eltima Software's Folx application is also affected, which we have confirmed. The only place that the malicious application differs from the legitimate one, as with the Handbrake hack, is a password request when the app launches. This means that the malicious app is treated as more of a background process, hidden from the Dock and the Force Quit window, eliminating one potential cause for user suspicion. To avoid suspicion by having two different Elmedia Player apps showing up on the Dock, the malicious wrapper app has the following setting in its ist file: In this case, however, Elmedia Player is not open source, so the hackers changed their methods to open an untampered copy of the real application. In the case of Handbrake, the software is open source, so the hackers were able to actually compile a malicious copy of the Handbrake app that installed the Proton malware, but otherwise behaved normally. This is a bit different than the technique used to Trojanize Handbrake. In the following screenshot, you can see the contents of the legitimate Elmedia Player app in the lefthand window, compared to the malicious wrapper app on the right. When the malicious wrapper is opened, it opens the legitimate app as a cover to make it seem like everything is working as expected. ![]() This is because the Trojanized app is actually a wrapper, containing the real Elmedia Player application. The malicious Elmedia Player app looks completely legitimate, even when opened. ![]() However, an unknown number of people have already downloaded the malicious copy of Elmedia Player and will be infected with Proton. Researchers at ESET discovered the trojanized copy of Elmedia Player on Thursday morning, and Eltima Software eliminated the malware from their servers by that afternoon. Now, Eltima Software has fallen victim to a similar attack. Then, in May, one of the servers responsible for distributing the popular Handbrake software was hacked, resulting in the distribution of a Proton-infected copy of Handbrake for a four-day period. Proton was silently added to Apple's XProtect definitions in early March, and not much was known about it at the time. At this time, it is still unknown how long their website was providing the hijacked app. The hackers responsible for the Mac malware OSX.Proton have struck again, this time infecting a copy of the Elmedia Player app that was being distributed from the official Eltima website. ![]()
0 Comments
Leave a Reply. |