A popular media encoding software, HandBrake, has been compromised by hackers who infected the download server of the software, enabling them to push malware that stole victims’ passwords, even from vaults and the credentials used to decrypt them.
According to the developers of the software, anyone who has downloaded it between May 2 and May 6 has a 50/50 chance of getting their system hit by Trojan.
The downloads between these dates consist Proton malware which creates a backdoor on the infected PCs and at the time, none of the major anti-virus software could detect it.
“Anyone who has installed HandBrake needs to verify the SHA1/256 sum of the file before running it,” the developers stated.
How to Figure Out if I’m Infected?
You’ll need to check the SHA1 and SHA256 hashes for the HandBrake-1.0.7.dmg file.
Fire up your Terminal app which can be found in the Utilities folder under the Applications folder.
You’ll either need to insert the path to the .dmg file or drag the file onto the Terminal window — this would automatically insert its path.
If the value returned matches the hashes mentioned below, then your device is infected.
How to Get Rid of the Malware?
The infected copy of the software asks for the user’s admin ID and password which once entered is available to the attackers on their servers. The malware also sends several sensitive user files to the hacker’s server.
“These files contain a number of bits of data to be exfiltrated from the machine, such as browser data (including stored form auto-fill data), keychains, and even 1Password vaults,” Thomas Reed, Security Researcher at Malwarebytes noted.
If the SHA1 hash matches the one mentioned above, then you need to trash the .dmg file and any other HandBrake app files and scan your PC for the OSX.Proton malware.
It’s also a good idea to change the passwords stored in your browsers or password vaults after removing the files, scanning and rebooting your system.
Note that only the download mirror — download.handbrake.fr — has been affected and has been shut down for the time being as the team rebuilds the entire site.
The primary download mirror and website are unaffected and software downloads are available there.