This 'nib' is a password protected zip file who's password is: qzyuzacCELFEYiJ52mhjEC7HYl4eUPAR1EEf63oQ5iTkuNIhzRk2JUKF4IXTRdiQ unzips Contents/Resources/HBPlayerHUDMainController.nib to /tmp/HandBrake.app.Let's first start with the infected HandBrake.app that was distributed via a hacked mirror server of the legitimate Handbrake website ( ):Īs mentioned in the previous blog post, when run by the user the infected Handbrake application kicks off the install of OSX/Proton.B. Want to join me (virtually) at 11294 meters in the sky, as we dive into OSX/Proton.B? I ran the Terminal commands from the HB team, which implying the launch agent plist file didn't exist".'activity_agent' was not running in my Activity monitor.I ran the steps and commands to remove the file, and had these results: I had downloaded what turned out to be the infected DMG from the Handbrake site last week. ![]() Most interestingly several users pinged me, stating that while they ran the infected Handbrake application, they didn't seem to be persistently infected. Moreover I received a bunch of email from the HandBrake developers, infected users, and friends requesting more details on the malware. Now though, I'm 'stuck' on a flight to Europe (en route to present at 'PostiveHack Days' in Moscow) - so have a massive amount of free time. I recently blogged about how the app was trojaned and how the malware persistently installed itself: "HandBrake Hacked! OSX/Proton (re)Appears." However, due to timing constraints (and the fact that it was the weekend) I didn't really dive into the technical details of the malware that much. ![]() ![]() One goal of the hack was to infect macOS users by trojaning the legitimate HandBreak application with a new variant of OSX/Proton. Want to play along? I've shared both the trojaned Handbrake disk image and OSX/Proton.B payload, which can be downloaded here (password: infect3d).Īs I'm sure you are now aware, a mirror server of the popular open-source video transcoder, HandBrake, was hacked.
0 Comments
Leave a Reply. |