HandBrake OSX/Proton.B Trojan Backdoor (macOS)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

An application installed on the remote macOS or Mac OS X host is
affected by a trojan.

Description :

According to its binary checksum, the version of HandBrake installed
on the remote macOS or Mac OS X host is affected by the OSX/Proton.B
trojan backdoor. HandBrake was briefly distributed with the trojan due
to a compromised mirror hosting the software. An unauthenticated,
remote attacker can exploit this to exfiltrate sensitive information,
download malicious files, and execute arbitrary code.

See also :

https://forum.handbrake.fr/viewtopic.php?f=33&t=36364

Solution :

To remove the infected application, open the Terminal application and
run the following commands :

- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app

Remove the proton.zip archive from the ~/Library/VideoFrameworks/
folder if it exists, and remove any HandBrake.app installs.
Additionally, it is strongly recommended to change all the passwords
that reside in your OSX KeyChain and browser password stores.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: MacOS X Local Security Checks

Nessus Plugin ID: 100128 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now