Hackers infect Mac users with Proton malware using Elmedia Player

The general concept regarding Apple devices is that they are secure from growing number of malware and other cyber attacks, but the reality is far from the truth. In the latest campaign, cybercriminals have infected hundreds of Mac users by distributing Proton malware by compromising Elmedia Player software.

According to IT security researchers at ESET, this happened when attackers infected the free version of Elmedia Player downloaded file available on its developer’s site Eltima with Proton malware that was then downloaded by Mac users without triggering any warning.

Proton malware was first discovered this year on the Dark Web being sold for just 40 BTC (USD 41891 at the time of sale). Proton is capable taking full control of a targeted device, keylogging, Observers with SMS notifications, SSH/VNC tunneling with VPS, webcam/screen surveillance, premium customer support, file uploadings, and downloads.

Other than Elmedia, attackers also infected Folx download manager with the same malware. In a blog post, Eltima has acknowledged the attack and stated that:

“On the 19th of October 2017 we were informed by a malware research company ESET that our servers have been hacked and our apps namely Folx and Elmedia Player DMG files are distributed with a malware.”

[…] 

“Only Elmedia Player and Folx version downloaded from our official Eltima website was infected by this malware. However, the built-in automatic update mechanism is unaffected based on the data available to our cybersecurity experts.”

Those who downloaded Elmedia Player or Folx on 19th of October 2017, their system is likely to be infected with Proton malware. Another bad news is that the only way out is a full OS reinstall. However, the good news is that Apple has already revoked misused Clifton Grimm certificate. To verify if your system is infected, follow these steps:

/tmp/Updater.app/
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
/Library/.rand/
/Library/.rand/updateragent.app/

The same malware was distributed by cybercriminals through Handbrake Mirror after compromising its server in May this year. Also, a similar incident took place last month in which hackers infected over two million users with a backdoor who downloaded 5.33 Version of CCleaner, a subsidiary of anti-virus giant Avast and security software for Windows.

This kind of attack is called “supply-chain attack”

Mac users are highly advised not to download software and apps from third-party sites and avoid using unnecessary apps. Remember, Former National Security Agency (NSA) chief Michael Hayden and his wife were in an Apple store in Virginia, Hayden said at a conference that salesman approached and raved about the iPhone, saying that there were already “400,000 apps” for the device. Hayden, amused, turned to his wife and quietly asked: “This kid doesn’t know who I am, does he? Four-hundred-thousand apps mean 400,000 possibilities for attacks.”

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.