MacOS Proton backdoor delivered via Trojanized media player app
A Trojanized version of Elmedia Player software for Mac was available for download for who knows how long from the developer’s official site, ESET researchers have found.
The threat
The compromised package was made to deliver the newest version of the Proton backdoor.
After gaining persistence on a victim’s system, the malware is able to hoover up OS and browser information (history, cookies, bookmarks, login data, etc.); SSH, GnuPG, 1Password, and macOS keychain data; VPN configurations; cryptocurrency wallets (Electrum, BitcoinCore, Armory).
“In the current case of Eltima trojanized software, the attacker built a signed wrapper around the legitimate Elmedia Player and Proton. In fact, we observed what seems to be real-time repackaging and signing of the wrappers, all with the same valid Apple Developer ID,” the researchers shared.
Apple has been notified and has revoked the certificate, and is currently in the process of invalidating the Developer ID used to sign the malicious application.
Who’s in danger?
Eltima Software, the creators of the compromised application, apparently didn’t notice that something was amiss. But, after being contacted by ESET, they proceeded to pull the malicious package from their site.
They say that their infrastructure has now been cleaned up and that the Elmedia Player package currently being offered for download is clean.
Eltima is yet to offer more details about their investigation, so we don’t know for how long the malicious package was online, or by how many users it has been downloaded. They’ve also yet to put any notification about the compromise on their Web site or spread the news via social media.
“If you have downloaded that software on October 19th before 3:15pm EDT and run it, you are likely compromised,” the researchers noted.
Users can verify whether they’ve been infected by checking for the presence of com.Eltima.UpdaterAgent.plist in the System/Library/LaunchAgents/ directory. (The researchers have provided other indicators of compromise, but this one is the most visible to users who are not that tech-savvy.)
If you’ve been hit, the best way to make sure your system is thoroughly clean is to do a full OS reinstall. Also, assume that all the information mentioned above has been compromised and to take appropriate measures to invalidate it.
UPDATE (October 20, 2017):
Eltima Software has confirmed that, in addition to the Elmedia Player software, the hackers have also bundled its download manager Folx with the Proton backdoor. Both packages offered on the Web site are now clean.
“Only Elmedia Player and Folx version downloaded from our official Eltima website was infected by this malware. However, the built-in automatic update mechanism is unaffected based on the data available to our cybersecurity experts,” they noted. “If you downloaded Elmedia Player or Folx on the 19th of October 2017, your system is likely affected.”
They backed ESET researchers’ advice to affected users: “A total system OS reinstall is the only guaranteed way to totally rid your system of this malware.”