The hackers responsible for the Mac malware OSX.Proton have struck again, this time infecting a copy of the Elmedia Player app that was being distributed from the official Eltima website. At this time, it is still unknown how long their website was providing the hijacked app.
Proton was silently added to Apple’s XProtect definitions in early March, and not much was known about it at the time. Then, in May, one of the servers responsible for distributing the popular Handbrake software was hacked, resulting in the distribution of a Proton-infected copy of Handbrake for a four-day period. Now, Eltima Software has fallen victim to a similar attack.
Researchers at ESET discovered the trojanized copy of Elmedia Player on Thursday morning, and Eltima Software eliminated the malware from their servers by that afternoon. However, an unknown number of people have already downloaded the malicious copy of Elmedia Player and will be infected with Proton.
The malicious Elmedia Player app looks completely legitimate, even when opened. This is because the Trojanized app is actually a wrapper, containing the real Elmedia Player application. When the malicious wrapper is opened, it opens the legitimate app as a cover to make it seem like everything is working as expected.
In the following screenshot, you can see the contents of the legitimate Elmedia Player app in the lefthand window, compared to the malicious wrapper app on the right.
This is a bit different than the technique used to Trojanize Handbrake. In the case of Handbrake, the software is open source, so the hackers were able to actually compile a malicious copy of the Handbrake app that installed the Proton malware, but otherwise behaved normally.
In this case, however, Elmedia Player is not open source, so the hackers changed their methods to open an untampered copy of the real application. To avoid suspicion by having two different Elmedia Player apps showing up on the Dock, the malicious wrapper app has the following setting in its Info.plist file:
LSUIElement
This means that the malicious app is treated as more of a background process, hidden from the Dock and the Force Quit window, eliminating one potential cause for user suspicion.
The only place that the malicious application differs from the legitimate one, as with the Handbrake hack, is a password request when the app launches.
Malware researcher @noarfromspace also noticed that Eltima Software’s Folx application is also affected, which we have confirmed. Since Eltima Software has cleaned up their systems at this point, it is not known how many of their other apps may also have been affected.
The maliciously-modified Eltima apps are all signed using an Apple developer certificate issued to a “Clifton Grimm.” That certificate has been revoked at this point, rendering those apps inoperable.
Malicious behaviors
As with the variant that was dropped by the hacked copy of Handbrake (Proton.B), this variant (Proton.C) will also attempt to exfiltrate the keychains and 1Password vaults containing user passwords and other sensitive information, as well as browser information, including login credentials for those who use browser functionality to remember their passwords.
However, Proton.C will also collect a number of other pieces of data. It will exfiltrate several different cryptocurrency wallets, giving the hackers the ability to steal digital money, such as Bitcoin, from the user. It also grabs other data that could be used to connect to sensitive online resources accessible to the user.
In addition, as part of the infection process, Proton.C will add a line to the sudoers file, which manages access to root privileges:
Defaults !tty_tickets
Normally, if a user is granted root privileges in the terminal, for example, those privileges will only apply within that single terminal window (session) and nowhere else. By adding this line to the end of the sudoers file, this allows the malware to authenticate once, and root privileges are allowed across all sessions.
Am I infected?
Unfortunately, we don’t know yet how long Eltima Software’s systems have been serving up Trojanized software. However, if you have downloaded any software from Eltima Software recently, you should check to see if your system is infected. The easiest method for identifying an infection would be to install Malwarebytes for Mac, which will detect and remove Proton.C for free.
You can also check by choosing Go to Folder from the Go menu in the Finder, and entering the following path:
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
Then click the Go button. If the Finder complains that “The folder can’t be found,” that means you’re probably not infected—assuming, of course, that you didn’t make a mistake entering the path. This is not a method we recommend to most people, due to the possibility of human error resulting in an erroneous belief that the system is clean.
If you find an infection, be sure to delete any Eltima Software applications from your system, even if they are not detected by antivirus software, just to be completely sure. It should be safe to re-download clean copies at this point.
What happens if I’m infected?
If you are infected, the first priority is to get the malware off your system.
After you have done that, you will need to begin the far harder process of remediating the effects of the breach. You should assume that every password to every online account has been compromised, and should change them all. A good password manager, such as 1Password, will help immeasurably with this. If you’re not already using such a program, we recommend that you start now. (And don’t store the master password for your password manager in the macOS keychain!)
If you have any cryptocurrency wallets, you will need to take fast action to lock those down, before the criminals behind this malware clean you out. If you had any credit card or other financial account numbers stored in the keychain or in 1Password, contact those financial institutions immediately so that those accounts can be frozen, monitored, or changed.
For those with affected business machines, you need to alert your IT admins immediately. This malware may have given the hackers the keys needed to access some or all of your company’s internal resources, which could lead to your company suffering from a breach—possibly one that results in your company spreading another variant of Proton if you work at a software company.
If people act quickly to remediate, they can lessen the impact of this particular malware and stop the infection from spreading.