The HandBrake team issued a security alert on Saturday, warning Mac users that one of its mirror servers to download the software has been compromised by hackers.
In case you aren’t aware, HandBrake is an open source video transcoder app that allows Mac users to convert multimedia files from one format to another.
Originally discovered in February on a Russian underground hacking forum, Proton is a Mac-based remote access trojan that gives attackers root access privileges to the infected system.
The affected server has been shut down for investigation, but the HandBrake team is warning that anyone who has downloaded HandBrake for Mac from the server between May 2 and May 6, 2017, has a “50/50 chance” of getting their Mac infected by Proton.
How to Check if You’re Infected?
The HandBrake team has provided instructions for less technical folks, who can check if they’ve been infected.
Head on to the OSX Activity Monitor application, and if you see a process called “Activity_agent” there, you are infected with the trojan.
If you have installed a HandBrake.dmg with the above checksums, you are infected with the trojan.
How to Remove the Proton RAT?
The HandBrake developers have also included removal instructions for Mac users who have been compromised.
Follow the following instructions to remove the Proton Rat from your Mac:
Step 1: Open up the “Terminal” application and run the following command:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app
Step 2: If ~/Library/VideoFrameworks/ includes proton.zip, remove the folder.
Step 3: once done, you should remove any installations of Handbrake.app you may find.
However, instead of stopping here; head on to your settings and change all the passwords that are stored in your OS X KeyChain or any browser password stores, as an extra security measure.
Meanwhile, Mac users who have updated to HandBrake version 1.0 or later are not affected by the issue, as it uses DSA signatures to verify the downloaded files, so malware-tainted version reportedly would not pass the DSA verification process.