![]() A process called /tmp/Handbrake.app/Contents/MacOS/HandBrake.This is a temporary copy of the malware used when it runs for the first time to install all the abovementioned files and processes. A directory called /tmp/HandBrake.app.One or more ZIP files in the directory ~/Library/VideoFrameworks as listed above.This is the configuration file that tells your Mac to load the malware every time you login. A file called ~/Library/LaunchAgents/fr.handbrake.activity_ist.This means the malware loaded when you logged in. A process called ~/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent.This is the permanently installed malware. A directory called ~/Library/RenderFiles/activity_agent.app.Proton sets itself up to load every time you login, so if you are infected you will probably see some or all of these: The OSX/Proton-A malware can also interfere with existing network and application security tools for the Mac, including LittleSnitch, Radio Silence, HandsOff and popular network monitoring tool Wireshark, as well killing off any open terminal windows you may have, presumably in case you’re a malware researcher trying to collect run-time information about it. proton.zip: A ZIP containing all the above ZIPs.GNU_PG.zip: GNU Privacy Guard passwords and more.OP.zip: Opera login data, cookies, saved web data and more.SF.zip: Safari cookies and form history. ![]() FF.zip: Firefox history, cookies, form history, login history, and more.CR.zip: Chrome profile data, bookmarks, history, saved web data and more.In fact, activity_agent goes after a whole raft of “digital lifestyle” data, packaging it up into a series of ZIP files that are hidden in plain sight in a directory called ~/Library/VideoFrameworks.įiles that may end up stashed there so the crooks can fetch them later include: (Keychain is your Mac’s built-in password manager, typically storing everything from Wi-Fi keys to email and other account passwords.) If you give activity_agent your Mac password, you are authorising it to run with administrative powers, as well as to access password-protected personal information such as your Mac Keychain. In fact, the above fake password dialog comes from additional code that’s been compiled into the fake HandBrake distribution: the malware app ends up installed by the innocent-sounding name of activity_agent. app directories) like HandBrake, and both of them ask for your password at install time. pkg files) rather than as self-contained apps (. Nevertheless, it’s easy to fall for a fake password dialog of this sort: both Java and Flash, for example, arrive as installers (. A self-contained app shouldn’t need your system password just so it can download extra or updated components, in the same way your browser doesn’t need your password every time you initiate a download, so avoid entering your password in cases like this.A decent video player or converter may offer to download additional codecs, for example if you try to watch a video in some unusual format, but be wary of apps that force extra codecs on you at the start.(Codec is a widely-used jargon term meaning coder/decoder.) “Need a codec” is an old trick used by cybercrooks, so be suspicious of prompts like this on that basis alone.The HandBrake needs to install additional codecs prompt should ring alarm bells: The HandBrake app inside the DMG file starts running just as you might expect, but has had extra “secret sauce” compiled into it: The malware-infected download looks similar to the real thing when it’s opened:
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |