Data Stealing macOS Trojan Is Back Spreading Through Compromised Software Downloads

Author Photo
Oct 20, 2017
11Shares
Submit

macOS users who have downloaded Elmedia Player from the developer’s website may have installed a trojanized copy of the media player. Security researchers revealed last night that Eltima has been “distributing a version of their application trojanized with the OSX/Proton malware on their official website.” The company has claimed to have suffered a security breach.

The incident may remind some of the CCleaner episode last month that inadvertently put security of millions at risk when a malicious copy of the utility was being distributed via Avast’s own servers. The company had reported a security breach, as well, and the following investigation revealed that the malicious payload was designed for industrial espionage with a hitlist containing Google and Intel.

iphone-x-face-id-projectionRelatedWoman’s iPhone X Unlocked Via Face ID By Her Colleague Twice, On Original And Replacement Devices

As for the latest incident, researchers at ESET reported the problem to Eltima, the maker of Elmedia Player, that their site was distributing OSX/Proton malware through their software. Eltima cleaned up its website at 3:10pm EDT on October 19, and the site is now serving legitimate applications. The security firm says that the company was “very responsive and maintained an excellent communication with us throughout the incident.”

How to see if you are affected by this data stealing Proton RAT

Since the timeline of the attack is unknown at the moment, it is unclear how many users may have been affected. The media player boasts over a million downloads. If you are a user, ESET has suggested to look for these files and directories to verify if you have been compromised.

/tmp/Updater.app/
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
/Library/.rand/
/Library/.rand/updateragent.app/

If any of these exists, it means the that OSX/Proton is most likely running on your system. Security experts have advised a complete macOS reinstall as that is the “only sure way to get rid of the malware.”

OSX/Proton is a Remote Access Trojan designed to steal data from macOS users and stay persistent on the target system. From operating system details to browser history and macOS keychain data, the trojan is capable to stealing all the sensitive information stored on your computer. Here’s the full list revealed by ESET.

firefox-mr-robotRelatedYou Know It’s Been a Bad Year When Even Firefox Resorts to Injecting Hidden Add-Ons
  • Operating system details: hardware serial number (IOPlatformSerialNumber), full name of the current user, hostname, System Integrity Protection status (csrutil status), gateway information (route -n get default | awk ‘/gateway/ { print $2 }’), current time & timezone
  • Browser information from Chrome, Safari, Opera and Firefox: history, cookies, bookmarks, login data, etc.
  • Cryptocurrency wallets:
    • Electrum: ~/.electrum/wallets
    • Bitcoin Core: ~/Library/Application Support/Bitcoin/wallet.dat
    • Armory: ~/Library/Application Support/Armory
  • SSH private data (entire .ssh content)
  • macOS keychain data using a modified version of chainbreaker
  • Tunnelblick VPN configuration (~/Library/Application Support/Tunnelblick/Configurations)
  • GnuPG data (~/.gnupg)
  • 1Password data (~/Library/Application Support/1Password 4 and ~/Library/Application Support/1Password 3.9)
  • List of all installed applications

Researchers have added in their report that “victims should also assume at least all the secrets outlined” above are “compromised and take appropriate measures to invalidate them.” The distribution of this malicious copy has now been stopped.

Attackers can further use Proton to download and execute new malware on infected systems, so a macOS reinstall is strongly advised to users who have downloaded a copy from Eltima’s website.

Submit