Handbrake Developers Issue Mac Security Warning After Mirror Server Was Compromised

If you have recently downloaded Handbrake, a popular video conversion app for Mac, there is a good chance your system is now infected with a nasty Remote Access Trojan (RAT).

On Saturday, the HandBrake team posted a security alert after learning one of their mirror download servers was hacked. The attacker was successfully able to replace the Mac version of the app with a malicious version.

The HandBrake team said an attacker compromised the download mirror server at download.handbrake.fr and replaced the HandBrake-1.0.7.dmg installer file with a version infected with a new variant of the Proton RAT. The team warned that users who downloaded HandBrake for Mac between 10:30 a.m. EDT on May 2nd and 7:00 a.m. EDT on May 6th have a “50/50 chance” of their Mac being infected.

The security warning stated, “If you see a process called ‘Activity_agent’ in the OSX Activity Monitor application. You are infected.” In order to remove this malware from an infected computer, open Terminal and run the following commands (each command has a comment above it describing what it does):

# Unload the malicious plist file 
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist

# Remove the RAT activity agent
rm -rf ~/Library/RenderFiles/activity_agent.app

# Remove the Proton RAT malware zip
rm -f ~/Library/VideoFrameworks/proton.zip

# Remove the Handbreak app from your system.
rm -rf /Applications/HandBrake.app

As an extra security recommendation, the team also recommends changing all passwords that may reside in their macOS KeyChain or in any browser password stores.

[via MacRumors]