If you have recently downloaded Handbrake, a popular video conversion app for Mac, there is a good chance your system is now infected with a nasty Remote Access Trojan (RAT).
On Saturday, the HandBrake team posted a security alert after learning one of their mirror download servers was hacked. The attacker was successfully able to replace the Mac version of the app with a malicious version.
The HandBrake team said an attacker compromised the download mirror server at download.handbrake.fr and replaced the HandBrake-1.0.7.dmg installer file with a version infected with a new variant of the Proton RAT. The team warned that users who downloaded HandBrake for Mac between 10:30 a.m. EDT on May 2nd and 7:00 a.m. EDT on May 6th have a “50/50 chance” of their Mac being infected.
The security warning stated, “If you see a process called ‘Activity_agent’ in the OSX Activity Monitor application. You are infected.” In order to remove this malware from an infected computer, open Terminal and run the following commands (each command has a comment above it describing what it does):
# Unload the malicious plist file launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist # Remove the RAT activity agent rm -rf ~/Library/RenderFiles/activity_agent.app # Remove the Proton RAT malware zip rm -f ~/Library/VideoFrameworks/proton.zip # Remove the Handbreak app from your system. rm -rf /Applications/HandBrake.app
As an extra security recommendation, the team also recommends changing all passwords that may reside in their macOS KeyChain or in any browser password stores.
[via MacRumors]
