Criminals Hijack Handbrake Download Server to Distribute Proton RAT

It looks as if criminals continue to step up their game and target users of the Macintosh platform. The Handbrake application has had its online platform compromised by unknown assailants. As a result, one of the download mirrors redirected users to a version of the Proton Remote Access Trojan. It is unclear how many have been affected, but it is safe to say Macintosh users are of keen interest to criminals all over the world right now.

Proton Remote Access Trojan Distribution Changes

As most people are well aware of, malicious software usually spreads in different ways. Over the past few months, three potential distribution trends have emerged successfully. Malicious links on social media, malware-laden email attachments, and pirated peer-to-peer downloads are all primary distribution models for remote access trojans, malware, and ransomware.

Proton, a well-known Remote Access Trojan targeting Macintosh users, has found a new distribution method. Someone successfully hijacked one of the Handbrake app download mirrors and redirected it to a payload containing the Proton RAT. Interestingly enough, it appears the download mirror itself was compromised, although no one knows for sure how this was possible in the first place.

As part of this modified download mirror, the software downloaded onto a Mac computer would still appear to be the Handbrake application. Since this app is used for video conversion and transcoding, it is quite popular across all supported operating systems. However, once the user downloaded this modified version of Handbrake, they would automatically install the Proton RAT as a result.

As we would expect from a somewhat popular Remote Access Trojan, Proton can be used to cause a lot of damage. It is capable of stealing data from infected machines, provide backdoor access to a computer, or even capture login credentials for financial platforms and social media. Attackers would be given administrative access to the device they infiltrated as well. All things considered, it is a nasty piece of software no one wants to deal with

A preliminary security report shows the hijacked Handbrake download mirror was under control by the criminals for a total of four days. The issue was eventually resolved on May 6th. Anyone who downloaded Handbrake for Mac 1.0.7 during the past week may want to take a closer look at their computer and perform a thorough malware scan. Additionally, they should look for a background process called “Actiivty_Agent” and shut it down immediately.

Thankfully, BleepingComputer put together a comprehensive guide to get rid of the Proton Remote Access Trojan. It takes about three minutes to do so, and there is no third-party software needed. However, it is advised infected users change all of the passwords stored in their OSX KeyChain or browser plugins. All of this information has – most likely – been recorded and sent back to the criminals.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.