HandBrake OSX/Proton.B Trojan Backdoor (macOS)
Critical Nessus Plugin ID 100128
SynopsisAn application installed on the remote macOS or Mac OS X host is affected by a trojan.
DescriptionAccording to its binary checksum, the version of HandBrake installed on the remote macOS or Mac OS X host is affected by the OSX/Proton.B trojan backdoor. HandBrake was briefly distributed with the trojan due to a compromised mirror hosting the software. An unauthenticated, remote attacker can exploit this to exfiltrate sensitive information, download malicious files, and execute arbitrary code.
SolutionTo remove the infected application, open the Terminal application and run the following commands :
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
Remove the proton.zip archive from the ~/Library/VideoFrameworks/ folder if it exists, and remove any HandBrake.app installs.
Additionally, it is strongly recommended to change all the passwords that reside in your OSX KeyChain and browser password stores.