FYI.

This story is over 5 years old.

Tech

Hackers Distribute Malware-Infected Media Player to Hundreds of Mac Users

Yet another software supply-chain attack hits popular applications.
Image: Elmedia

Hackers managed to compromise the website of a company that develops several popular apps for Apple computers, distributing malware-infected versions of those apps to hundreds of users.

Security researchers from antivirus firm ESET reported Friday that the free version of Elmedia Player distributed from Eltima Software's website contained a macOS information stealing trojan known as OSX/Proton. The same malware was distributed earlier this year through another trojanized version of a popular macOS application called HandBrake.

Advertisement

Eltima told me in an email that hackers also managed to trojanize one of the company's other applications, an internet download manager called Folx that also acts as a BitTorrent client.

The Proton malware is capable of stealing a lot of data from infected computers including history, cookies, bookmarks, and log-in data from browsers; cryptocurrency wallets; SSH authentication keys; macOS keychain data; Tunnelblick VPN configuration data; PGP encryption keys and data stored in 1Password, a password management application.

Read more: What Is a 'Supply Chain Attack?'

Elmedia Player has 1 million users as of August, according to Eltima. The company provides free and paid versions of its software programs and distributes them through its website and through the Mac App Store.

Only the installers for Elmedia Player and Folx downloaded by users from the company's website contained the Proton trojan, an Eltima spokeswoman told me. "The built-in automatic update mechanism [of the applications] seems to be unaffected."

The security breach happened Thursday and was discovered relatively fast by ESET who reported the incident to the software developer. The malicious installers were available on Eltima's website for around 24 hours and were downloaded by almost 1,000 users.

"Users who downloaded and executed the software on October 19 before 3:15 PM EDT, are likely compromised," the ESET researchers said.

Advertisement

On Friday morning, Eltima announced that both apps are now "safe to install and malware-free."

The attackers don't appear to have compromised the company's development infrastructure, as happened recently with the developer of a Windows application called CCleaner. Instead, the hackers just managed to hack into Eltima's website through a vulnerability in a JavaScript-based library called TinyMCE.

The malicious installers were not digitally signed with Eltima's Apple developer certificate, but with a different developer ID under the name Clifton Grimm. It's not clear if this certificate was obtained from Apple by using a fake identity or if it was stolen from another developer.

Gatekeeper, Apple's first line of defense against malware, allows signed binaries to execute without warning by default, Patrick Wardle, director of research at Synack and a macOS security expert, told me in a Twitter direct message. Because of this, most Mac malware is now signed with stolen or fraudulently obtained Apple developer IDs, with the latter being much more likely, he said.

"It appears Apple has a problem with ensuring only legitimate developer IDs are given out," Wardle said.

Apple revoked the misused Clifton Grimm certificate after being alerted by ESET and Eltima, but users who downloaded and executed the rogue Elmedia Player and Folx installers before this happened didn't get a Gatekeeper warning.

Advertisement

At installation, Proton displays a fake password authorization window in order to gain system administrator privileges. It's not unusual for legitimate applications to request such access, so users might easily be tricked into inputting their password.

There is some evidence that this new attack might have been perpetrated by the same attackers who compromised a legitimate download server for the HandBrake video converter application in May and distributed a malicious version of that program to macOS users.

In both cases, the trojanized installers infected computers with Proton and in both cases the malware's command-and-control servers used domain names similar to those of the compromised software. The difference is that the rogue HandBrake installer was not digitally signed, meaning that users would have had to override Gatekeeper manually in order to install it.

To determine if they've been infected users can search their systems for the presence of the following files or directories: /tmp/Updater.app/, /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist, /Library/.rand/ and /Library/.rand/updateragent.app/. If any of them exist, Proton was installed, according to ESET.

"As with any compromise with an administrator account, a full OS reinstall is the only sure way to get rid of the malware," the ESET researchers said. "Victims should also assume that the secrets outlined in the previous section are compromised and take appropriate measures to invalidate them."

Advertisement

Software supply-chain attacks pose a very serious danger because they abuse the existing trust relationship between users and software developers. These attacks can happen in several ways and can be very hard to detect and prevent.

Attackers recently managed to distribute infected versions of CCleaner—a Windows system optimization tool—to over 2.2 million users after hacking into the program developer's infrastructure. Last year, attackers hacked into the website of popular open-source Transmission BitTorrent client on two separate occasions and distributed infected installers to macOS users.

In order to compromise Macs, attackers need a way to get malicious applications onto them, and hacking into a legitimate developer's website to surreptitiously trojanize a popular app is a great way to achieve this, Wardle said. We've seen attackers use this mechanism before, so it won't be surprising if they continue to rely on this attack vector, he said.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.

Got a tip? You can contact this reporter at lucian@constantinsecurity.com and use this PGP key for encrypted email.