Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Supply Chain Attack Spreads macOS RAT

Proton, a remote access tool (RAT) that emerged in early 2017, has once again compromised a legitimate software’s distribution channel to spread, ESET warns.

Proton, a remote access tool (RAT) that emerged in early 2017, has once again compromised a legitimate software’s distribution channel to spread, ESET warns.

Discovered in March this year, Proton was designed to execute any bash command under root, monitor keystrokes, upload/download files to/from the victim’s machine, grab screenshots or webcam captures, get updates, and also send notifications to the attacker. It can also help the attacker connect via SSH/VNC to the target machine.

In May, the malware’s operators managed to compromise a download mirror of the popular video converting tool HandBrake and configured it to distribute the RAT via a trojanized version of the legitimate app.

Now, the attackers were able to hack Eltima, the makers of the Elmedia Player software, and replaced the legitimate application binaries available for download with trojanized iterations. Thus, Eltima ended up distributing the OSX/Proton malware via their official website.

The attack was observed on Thursday, October 19, and Eltima was able to clean the infected application binaries within hours after being informed on the incident, ESET says.

All users who downloaded the Elmedia Player software recently should check their systems for possible compromise. For that, they should verify for the presence of the following files or directories: /tmp/Updater.app/, /Library/LaunchAgents/com. Eltima.UpdaterAgent.plist, /Library/.rand/, and /Library/.rand/updateragent.app/.

“If any of them exists, it means the trojanized Elmedia Player application was executed and that OSX/Proton is most likely running,” ESET notes.

Apparently only the application version downloaded through the company’s website was compromised, while the version distributed through the built-in automatic update mechanism was supposedly unaffected.

Advertisement. Scroll to continue reading.

Once installed on a compromised machine, the malware can steal operating system details, browser information from Chrome, Safari, Opera, and Firefox (including history, cookies, bookmarks, and login data), cryptocurrency wallets (Electrum, Bitcoin Core, and Armory), SSH private data, macOS keychain data, Tunnelblick VPN configuration, GnuPG data, 1Password data, and a list of all installed applications.

Proton’s operators aren’t the only cybercriminals out there attempting to infect users via supply chain attacks. Last year, Mac Bittorrent client Transmission was hacked twice to spread the OSX/KeRanger ransomware and OSX/Keydnap password stealer, respectively.

Another incident of global impact was the compromise of the updater process of tax accounting software MEDoc to distribute the NotPetya wiper. Spreading fast to organizations worldwide, the attack resulted in millions of dollars in losses, as some organizations were unable to recover data following the incident.

Related: Software Download Mirror Distributes Mac Malware

Related: macOS RAT Uses 0-Day for Root Access

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.