Security Experts:

Connect with us

Hi, what are you looking for?



Supply Chain Attack Spreads macOS RAT

Proton, a remote access tool (RAT) that emerged in early 2017, has once again compromised a legitimate software’s distribution channel to spread, ESET warns.

Proton, a remote access tool (RAT) that emerged in early 2017, has once again compromised a legitimate software’s distribution channel to spread, ESET warns.

Discovered in March this year, Proton was designed to execute any bash command under root, monitor keystrokes, upload/download files to/from the victim’s machine, grab screenshots or webcam captures, get updates, and also send notifications to the attacker. It can also help the attacker connect via SSH/VNC to the target machine.

In May, the malware’s operators managed to compromise a download mirror of the popular video converting tool HandBrake and configured it to distribute the RAT via a trojanized version of the legitimate app.

Now, the attackers were able to hack Eltima, the makers of the Elmedia Player software, and replaced the legitimate application binaries available for download with trojanized iterations. Thus, Eltima ended up distributing the OSX/Proton malware via their official website.

The attack was observed on Thursday, October 19, and Eltima was able to clean the infected application binaries within hours after being informed on the incident, ESET says.

All users who downloaded the Elmedia Player software recently should check their systems for possible compromise. For that, they should verify for the presence of the following files or directories: /tmp/, /Library/LaunchAgents/com. Eltima.UpdaterAgent.plist, /Library/.rand/, and /Library/.rand/

“If any of them exists, it means the trojanized Elmedia Player application was executed and that OSX/Proton is most likely running,” ESET notes.

Apparently only the application version downloaded through the company’s website was compromised, while the version distributed through the built-in automatic update mechanism was supposedly unaffected.

Once installed on a compromised machine, the malware can steal operating system details, browser information from Chrome, Safari, Opera, and Firefox (including history, cookies, bookmarks, and login data), cryptocurrency wallets (Electrum, Bitcoin Core, and Armory), SSH private data, macOS keychain data, Tunnelblick VPN configuration, GnuPG data, 1Password data, and a list of all installed applications.

Proton’s operators aren’t the only cybercriminals out there attempting to infect users via supply chain attacks. Last year, Mac Bittorrent client Transmission was hacked twice to spread the OSX/KeRanger ransomware and OSX/Keydnap password stealer, respectively.

Another incident of global impact was the compromise of the updater process of tax accounting software MEDoc to distribute the NotPetya wiper. Spreading fast to organizations worldwide, the attack resulted in millions of dollars in losses, as some organizations were unable to recover data following the incident.

Related: Software Download Mirror Distributes Mac Malware

Related: macOS RAT Uses 0-Day for Root Access

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.