Elmedia Player and Folx installers infected by OSX/Proton credential-stealing malware on O...

Posted:
in Mac Software edited October 2017
Popular media consumption application Elmedia Player and downloading tool Folx were both briefly infected with the Proton malware strain, with most installers of the software on Oct. 19 now infected.




Security firm researchers from ESET reported on Friday that the free Elmedia Player installer had been compromised for a period of time on Oct. 19 with the malware. The malware piggy-backed on the legitimate installer, in much the same way that the malware rode in on installs of media transcoding tool Handbrake in May -- but using a legitimate developer ID for a certificate this time.

The binary substituted for the legitimate one was signed by a developer ID with the name "Clifon Grimm." The provenance of the ID is unclear, but it was legitimate before Apple revoked the certificate.

Users who downloaded the installers and executed them on Oct. 19 before 3:15 PM are "likely compromised" according to ESET. It is not clear how many users were infected.

"As with any compromise with an administrator account, a full OS reinstall is the only sure way to get rid of the malware," wrote ESET. "Victims should also assume that the secrets ... are compromised and take appropriate measures to invalidate them."

Secrets listed by ESET include operating system data including System Integrity Protection status and some location information, a wide array of browser data including cookies and login data, cryptocurrency wallets, SSH private data, macOS Keychain data, 1Password data, and a list of installed applications.

The full installers for Elmedia Player and Folx were contaminated with the malware. Applications updated through the built-in mechanism during the time period in question are apparently unaffected.

The presence of any or all of the folllowing files indicates an attack by OSX/Proton:
/tmp/Updater.app/
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
/Library/.rand/
/Library/.rand/updateragent.app/
"Proton" is a remote access trojan (RAT) aimed at macOS systems. Written in Objective C, allowing it to run without any dependencies, the malware is marketed by the creator as a "professional FUD surveillance and control solution, with which you can do almost everything with (a) target's Mac."

With root-access privileges, the list of potential actions includes keylogging, uploading and downloading files, screenshots, webcam access, and SSH and VNC connectivity. It is also claimed the malware can also present victims with a custom window, which could be used to request extra information, such as a credit card number.

Previously, the tool cost 100 bitcoins ($126,000 at the time) to acquire, with a license for unlimited installations, but criticism from others prompted a reduction to 40 bitcoins ($50,400) for unlimited installations, or 2 bitcoins ($2,512) for a single installation.
cziborr

Comments

  • Reply 1 of 10
    tzm41tzm41 Posts: 95member
    Would current security software packages like Symantec be able to detect this and prevent it from running?
  • Reply 2 of 10
    tzm41 said:
    Would current security software packages like Symantec be able to detect this and prevent it from running?
    You don't need any security package to be installed on macOS, just update to the latest version of macOS which is High Sierra, don't disable Gatekeeper, do not install programs other than from AppStore, get scared from every authorization request and you will survive. Those malware are installed upon user's explicit acceptance. They request authorization for example for installing "required codecs". The user believing that the application comes from a legitimate source accepts without thinking. Even if the application is from a reliable and trusted source, it may be cracked to install malware during distribution. That is what happened with Handbrake. So the lesson is, unless you're an experienced Mac user, don't install any application on your Mac except from AppStore and the very few well-known big software developers.
    RacerhomieXjony0
  • Reply 3 of 10
    dysamoriadysamoria Posts: 3,430member
    I hate installers and OS architectures that require them.
  • Reply 4 of 10
    tzm41 said:
    Would current security software packages like Symantec be able to detect this and prevent it from running?
    Yes, Symantec detects it as do many other AV products.

    Here's an analysis when it compromised Handlebrake:

    https://virustotal.com/en/file/013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793/analysis/

  • Reply 5 of 10
    Popular?  I've never even heard of "Elmedia Player" nor Folx for that matter.  It's on sale on the Mac App store for $9.99 and is normally $19.99.  Was the copy from the App Store impacted or was it just the free download from the Elmedia website?  Seems to be Russian software...
    techconc
  • Reply 6 of 10
    Mike WuertheleMike Wuerthele Posts: 6,837administrator
    Popular?  I've never even heard of "Elmedia Player" nor Folx for that matter.  It's on sale on the Mac App store for $9.99 and is normally $19.99.  Was the copy from the App Store impacted or was it just the free download from the Elmedia website?  Seems to be Russian software...
    App Store version remains safe. Just the download from the Elmedia website.
  • Reply 7 of 10
    dysamoriadysamoria Posts: 3,430member
    Popular?  I've never even heard of "Elmedia Player" nor Folx for that matter.  It's on sale on the Mac App store for $9.99 and is normally $19.99.  Was the copy from the App Store impacted or was it just the free download from the Elmedia website?  Seems to be Russian software...

    I've never heard of either piece of software myself, though whether it's Russian or not is inconsequential. 
  • Reply 8 of 10
    tzm41 said:
    Would current security software packages like Symantec be able to detect this and prevent it from running?
    You don't need any security package to be installed on macOS, just update to the latest version of macOS which is High Sierra, don't disable Gatekeeper, do not install programs other than from AppStore, get scared from every authorization request and you will survive. Those malware are installed upon user's explicit acceptance. They request authorization for example for installing "required codecs". The user believing that the application comes from a legitimate source accepts without thinking. Even if the application is from a reliable and trusted source, it may be cracked to install malware during distribution. That is what happened with Handbrake. So the lesson is, unless you're an experienced Mac user, don't install any application on your Mac except from AppStore and the very few well-known big software developers.
    Was Handbrake really signed by any developer? No it was not. If it had been, then the hacker modifications made to the copy on the one infected mirror site would have not launched (unless the hackers "re-signed" their infected version with some other developer's ID as is reported was done in the Eltima hack).

    What happened here here was some Apple developer's credentials were used to re-sign/vouch for infected code and everyone who was infected has a legal cause of action against the former trustee of that developer certificate, as does Apple.
    edited October 2017
  • Reply 9 of 10
    maestro64maestro64 Posts: 5,043member
    This is also why I use little snitch, not that I would install Malware on purpose, I do not install things unless I know specifically where the software came from, Little snitch would not allow this program internet access without warning me a program that I did not specifically grant access to internet is try to gain access. You would be amazed the number of programs what try to access the internet these days. I block most of them.
    techconc
  • Reply 10 of 10
    In close cooperation with ESET and Apple representatives, we have applied all necessary measures to prevent further malware spread.

    Now we officially inform that Elmedia, Folx, as well as other our products are absolutely safe to install and malware-free.
Sign In or Register to comment.