Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Supply Chain Attack Spreads macOS RAT

Proton, a remote access tool (RAT) that emerged in early 2017, has once again compromised a legitimate software’s distribution channel to spread, ESET warns.

Proton, a remote access tool (RAT) that emerged in early 2017, has once again compromised a legitimate software’s distribution channel to spread, ESET warns.

Discovered in March this year, Proton was designed to execute any bash command under root, monitor keystrokes, upload/download files to/from the victim’s machine, grab screenshots or webcam captures, get updates, and also send notifications to the attacker. It can also help the attacker connect via SSH/VNC to the target machine.

In May, the malware’s operators managed to compromise a download mirror of the popular video converting tool HandBrake and configured it to distribute the RAT via a trojanized version of the legitimate app.

Now, the attackers were able to hack Eltima, the makers of the Elmedia Player software, and replaced the legitimate application binaries available for download with trojanized iterations. Thus, Eltima ended up distributing the OSX/Proton malware via their official website.

The attack was observed on Thursday, October 19, and Eltima was able to clean the infected application binaries within hours after being informed on the incident, ESET says.

All users who downloaded the Elmedia Player software recently should check their systems for possible compromise. For that, they should verify for the presence of the following files or directories: /tmp/Updater.app/, /Library/LaunchAgents/com. Eltima.UpdaterAgent.plist, /Library/.rand/, and /Library/.rand/updateragent.app/.

“If any of them exists, it means the trojanized Elmedia Player application was executed and that OSX/Proton is most likely running,” ESET notes.

Apparently only the application version downloaded through the company’s website was compromised, while the version distributed through the built-in automatic update mechanism was supposedly unaffected.

Advertisement. Scroll to continue reading.

Once installed on a compromised machine, the malware can steal operating system details, browser information from Chrome, Safari, Opera, and Firefox (including history, cookies, bookmarks, and login data), cryptocurrency wallets (Electrum, Bitcoin Core, and Armory), SSH private data, macOS keychain data, Tunnelblick VPN configuration, GnuPG data, 1Password data, and a list of all installed applications.

Proton’s operators aren’t the only cybercriminals out there attempting to infect users via supply chain attacks. Last year, Mac Bittorrent client Transmission was hacked twice to spread the OSX/KeRanger ransomware and OSX/Keydnap password stealer, respectively.

Another incident of global impact was the compromise of the updater process of tax accounting software MEDoc to distribute the NotPetya wiper. Spreading fast to organizations worldwide, the attack resulted in millions of dollars in losses, as some organizations were unable to recover data following the incident.

Related: Software Download Mirror Distributes Mac Malware

Related: macOS RAT Uses 0-Day for Root Access

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.