Handbrake Was Infected by a Trojan, How to Check if You Are

Handbrake Was Infected by a Trojan, How to Check if You Are

May 12, 2017 06:58 EST • Alexandre Vallières-Lagacé • 2 minute read • Permalink

It happened not too long ago with Transmission, the BitTorrent client, the dowloadable .DMG file was replaced with another version that contained both the app and a malware. This time, it happened to Handbrake when you were redirected to the download.handbrake.fr server between May 2nd and May 6th. The server was closed down and here are the steps to make sure you are not infected.

If you did not download Handbrake between May 2nd or May 6th, you are safe. The trojan that comes with the infected package is called OSX.PROTON.

Detection of Infection

  • Run Activity Monitor, and look for a “Activity_agent” process. If you see it, you are infected.
  • If you installed Handbrake and still have the .DMG file, AND it matches the following hash you are also infected. The “Activity_agent” might just not be running yet.
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274  
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

Removal of Trojan

Open up the “Terminal” application and run the following commands:

launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist

rm -rf ~/Library/RenderFiles/activity_agent.app

If ~/Library/VideoFrameworks/ contains proton.zip, remove the folder.

Then, remove any “HandBrake.app” installs you may have and any .DMG files. Make sure you empty the Trash so you don’t acciently reinstall it.

Now, the Bad Things

Removing the malware is not very hard and getting back to a clean status is quite easy. But what does this malware do?

We do not much informations but it seems to be strongly suggested that you change all of the password of items in your Keychain. Yes, a big pain…

Update: it seems this malware targets source files, passwords and SSH keys to download software source code. At the very least, Panic was the victim of said hacker.