HandBrake OSX/Proton.B Trojan Backdoor (macOS)

Critical Nessus Plugin ID 100128


An application installed on the remote macOS or Mac OS X host is affected by a trojan.


According to its binary checksum, the version of HandBrake installed on the remote macOS or Mac OS X host is affected by the OSX/Proton.B trojan backdoor. HandBrake was briefly distributed with the trojan due to a compromised mirror hosting the software. An unauthenticated, remote attacker can exploit this to exfiltrate sensitive information, download malicious files, and execute arbitrary code.


To remove the infected application, open the Terminal application and run the following commands :

- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app

Remove the proton.zip archive from the ~/Library/VideoFrameworks/ folder if it exists, and remove any HandBrake.app installs.
Additionally, it is strongly recommended to change all the passwords that reside in your OSX KeyChain and browser password stores.

See Also


Plugin Details

Severity: Critical

ID: 100128

File Name: macosx_handbrake_backdoor.nasl

Version: 1.2

Type: local

Agent: macosx

Published: 2017/05/11

Modified: 2017/05/11

Dependencies: 100129

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C


Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: x-cpe:/a:handbrake:handbrake

Required KB Items: installed_sw/HandBrake, Host/MacOSX/Version, Host/local_checks_enabled

Patch Publication Date: 2017/05/06

Vulnerability Publication Date: 2017/05/06

Reference Information

OSVDB: 157221