HandBrake App Hit with Malware – Mac Users Warned

Hackers reportedly gained access to a download server for a  media encoding software also known as HandBrake and used it to deliver stealthy malware that can gain access to a user’s password keychain, password vaults, and other personal information, security analysts reported on Monday.

Over the course of four days, a download mirror located at download.handbrake.Fr delivered a version of the DVD ripping and video conversion software that contained a type of malware known as Proton.

HandBrake developers issued a warning over the weekend that the malware was being distributed to Mac users. Moreover, none of the most popular antivirus services were able to detect it, according to security researcher Patrick Wardle, who reported his results here.

Apparently, the malicious download was opened and directed users to enter their Mac admin password, which was then uploaded to a text file to a server controlled by the hackers. Once installed, the malware can access sensitive and private data.

Thomas Reed, the director of Mac offerings at antivirus service Malwarebytes, explained, “These files contain a number of bits of data to be exfiltrated from the machine, such as browser data (including stored form auto-fill data), keychains, and even 1Password vaults.”

Reed added, “Since the user’s password was phished previously, that can be used to unlock the keychains, and either it or other passwords found in the keychain may be able to unlock other encrypted files.”

Reed also advised people to never store their master password for their password manager in their keychain and to make sure it is a unique and secure password.

HandBrake explained the hacked mirror site was one of two servers used to distribute the application. Because the other site was not compromised, people who downloaded the application from May 2nd to May 6th had a 50% chance of downloading a virus.

What is Proton?

Proton is a professionally developed Mac malware that sells for over $60,000 on the dark-Web. The malware has a broad range of features including keylogging, remote login access, the ability to take and upload webcam videos, screenshot images and gain access to private files.