HandBrake mirror delivered Proton RAT

HandBrake's 2017 incident hit a mirror, not the source tree. Between May 2 and May 6, the download.handbrake.fr mirror served a trojanized HandBrake-1.0.7.dmg for macOS. The main site stayed legitimate, but the official mirror path was enough.

The replacement package carried OSX/Proton.B. The malware used activity_agent, decrypted strings from a .hash resource, asked the user for a password under the cover of installing codecs, and then used that password to obtain higher privileges.

Proton was built for control and theft. Public analysis described keylogging, password and keychain theft, browser credential theft, file exfiltration, screenshots, remote shell, and remote access capabilities. HandBrake told affected users to change passwords stored in macOS Keychain and browsers.

The project said users who downloaded during the window had about a fifty percent chance of infection because not every download came from the compromised mirror. Built-in updates from HandBrake 1.0 and later were reported safe because update verification would reject the malicious file.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Infrastructure

Transitive

No

Actor

Cybercriminal Gang

• HandBrake download server hacked to distribute Mac malwarearstechnica.com
• Proton Mac OS X RATsecurelist.com
• Check your HandBrake 1.0.7.dmgforum.handbrake.fr
• Proton.B: What this Mac malware actually doescybereason.com