Eltima downloads served Proton RAT
Eltima's official macOS downloads for Elmedia Player and Folx were replaced with Proton RAT wrappers. The malware stole secrets and left a backdoor.
Story
Eltima's public download path failed for one day in October 2017. Users who fetched Elmedia Player or Folx from the official site received macOS disk images wrapped around legitimate applications and OSX/Proton. The built-in automatic update path was not reported affected.
ESET confirmed the poisoned downloads on October 19, notified Eltima at 10:35 EDT, and saw the site serving clean packages again by 15:15 EDT. The malicious wrappers were signed with an Apple Developer ID issued to Clifton Grimm, not Eltima. Apple revoked that certificate.
The wrapper launched the real application as cover, then extracted and ran Proton. It asked for the administrator password through a fake authorization prompt, installed a LaunchAgent, and placed its updater under /Library/.rand/. The technique was direct: keep the user interface normal, then persist below it.
Proton was built to steal. Public analyses describe browser credentials and cookies, macOS keychain data, 1Password vaults, SSH private data, GnuPG files, VPN configurations, cryptocurrency wallets, host data, remote shell functions, file upload and download, and command execution. For infected Macs, reinstalling the operating system and rotating secrets were the practical recovery steps.
Affected Artifacts
- Observed
- 2017-10-19
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- md5:e22f6a66442f8078a5da788998146208
- Evidence
- distribution: mac.eltima.com/download/elmediaplayer.dmg, distribution: elmedia-video-player.com/download/elmediaplayer.dmg, file: Elmedia Player.app/Contents/Resources/.pl.zip, file: Elmedia Player.app/Contents/MacOS/Elmedia Player , +8 more
- Observed
- 2017-10-19
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- md5:1163587a698afe5d88a930c006f2e1e5
- Evidence
- distribution: mac.eltima.com/download/downloader_mac.dmg, file: /tmp/Updater.app/, file: /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist, file: /Library/.rand/ , +17 more
Incident Context
- Motive
- Financial Gain Data Theft
- Attribution
- Group
- Cause
- Server Compromise
- Transitive
- No
- Actor
- Cybercriminal Gang
Indicators
- Locationmirror: welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia
- Locationmirror: virustotal.com/gui/file/e22f6a66442f8078a5da788998146208
- Locationmirror: virustotal.com/gui/file/1163587a698afe5d88a930c006f2e1e5
- Locationmirror: virustotal.com/gui/file/c59b518a610a000731504e0774e3051801972516
- Locationmirror: virustotal.com/gui/file/ce48791c014501d8811887f0404e1f0660769739
- Hashsha1:c59b518a610a000731504e0774e3051801972516
- Hashsha1:ce48791c014501d8811887f0404e1f0660769739
External References
- Elmedia Player and Folx malware threat Neutralized!mac.eltima.com
- Eltima Website Hacked to Spread Proton RAT With Popular Video Player Appbleepingcomputer.com
- Security breach Eltima October 2017web.archive.org
- Hackers Distribute Malware-Infected Media Player to Hundreds of Mac Usersvice.com
- Trojan malware for Mac OSX spread via compromised media player downloadszdnet.com
- Eltima Software's Elmedia Player and Folx Infected With Malwaremacrumors.com
- Mac malware OSX.Proton strikes againmalwarebytes.com
Source record: proprietary/eltima/meta.yaml