Eltima Elmedia Player/Folx
Eltima installers bundled Proton RAT.
Eltima Software download servers were compromised, and macOS installers for Elmedia Player and Folx were bundled with the Proton RAT. Users seeking media and download utilities from the official site received remote-access malware folded into otherwise familiar application packages for macOS.
- Date
- 2017-10-19 to 2017-10-20
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Server compromise
What Was Affected
Package
Eltima Elmedia Player/Folx
LanguageSwift
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
mac.eltima.com
Compromised Versions
- Elmedia Player (builds distributed on Oct 19th, 2017)
- Folx (builds distributed on Oct 19th, 2017)
Incident Context
- Motive
- Financial gain
- Attribution
- Cybercriminal Gang
- Transitive
- No
- Observed Duration
- 1 days
Evidence
Compromised Artifacts
Current Artifacts and Analysis
- welivesecurity.com/2017/10/21/osxproton-supply-chain-attack-elmedia-player-folx
- virustotal.com/gui/file/e22f6a66442f8078a5da788998146208
- virustotal.com/gui/file/1163587a698afe5d88a930c006f2e1e5
- virustotal.com/gui/file/c59b518a610a000731504e0774e3051801972516
- virustotal.com/gui/file/ce48791c014501d8811887f0404e1f0660769739
Indicators and Changes
Hashes
md5:e22f6a66442f8078a5da788998146208md5:1163587a698afe5d88a930c006f2e1e5sha1:c59b518a610a000731504e0774e3051801972516sha1:ce48791c014501d8811887f0404e1f0660769739
External References
Source Data
Source record: proprietary/eltima/meta.yaml