Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Elmedia Player and Folx installers infected by OSX/Proton credential-stealing malware on Oct. 19

Last updated

Popular media consumption application Elmedia Player and downloading tool Folx were both briefly infected with the Proton malware strain, with most installers of the software on Oct. 19 now infected.

Security firm researchers from ESET reported on Friday that the free Elmedia Player installer had been compromised for a period of time on Oct. 19 with the malware. The malware piggy-backed on the legitimate installer, in much the same way that the malware rode in on installs of media transcoding tool Handbrake in May — but using a legitimate developer ID for a certificate this time.

The binary substituted for the legitimate one was signed by a developer ID with the name "Clifon Grimm." The provenance of the ID is unclear, but it was legitimate before Apple revoked the certificate.

Users who downloaded the installers and executed them on Oct. 19 before 3:15 PM are "likely compromised" according to ESET. It is not clear how many users were infected.

"As with any compromise with an administrator account, a full OS reinstall is the only sure way to get rid of the malware," wrote ESET. "Victims should also assume that the secrets ... are compromised and take appropriate measures to invalidate them."

Secrets listed by ESET include operating system data including System Integrity Protection status and some location information, a wide array of browser data including cookies and login data, cryptocurrency wallets, SSH private data, macOS Keychain data, 1Password data, and a list of installed applications.

The full installers for Elmedia Player and Folx were contaminated with the malware. Applications updated through the built-in mechanism during the time period in question are apparently unaffected.

The presence of any or all of the folllowing files indicates an attack by OSX/Proton:

/tmp/Updater.app/

/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist

/Library/.rand/

/Library/.rand/updateragent.app/

"Proton" is a remote access trojan (RAT) aimed at macOS systems. Written in Objective C, allowing it to run without any dependencies, the malware is marketed by the creator as a "professional FUD surveillance and control solution, with which you can do almost everything with (a) target's Mac."

With root-access privileges, the list of potential actions includes keylogging, uploading and downloading files, screenshots, webcam access, and SSH and VNC connectivity. It is also claimed the malware can also present victims with a custom window, which could be used to request extra information, such as a credit card number.

Previously, the tool cost 100 bitcoins ($126,000 at the time) to acquire, with a license for unlimited installations, but criticism from others prompted a reduction to 40 bitcoins ($50,400) for unlimited installations, or 2 bitcoins ($2,512) for a single installation.



10 Comments

🍪
tzm41 8 Years · 95 comments

Would current security software packages like Symantec be able to detect this and prevent it from running?

🌟
macplusplus 9 Years · 2116 comments

tzm41 said:
Would current security software packages like Symantec be able to detect this and prevent it from running?

You don't need any security package to be installed on macOS, just update to the latest version of macOS which is High Sierra, don't disable Gatekeeper, do not install programs other than from AppStore, get scared from every authorization request and you will survive. Those malware are installed upon user's explicit acceptance. They request authorization for example for installing "required codecs". The user believing that the application comes from a legitimate source accepts without thinking. Even if the application is from a reliable and trusted source, it may be cracked to install malware during distribution. That is what happened with Handbrake. So the lesson is, unless you're an experienced Mac user, don't install any application on your Mac except from AppStore and the very few well-known big software developers.

🕯️
dysamoria 12 Years · 3430 comments

I hate installers and OS architectures that require them.

🎄
electrosoft 9 Years · 52 comments

tzm41 said:
Would current security software packages like Symantec be able to detect this and prevent it from running?

Yes, Symantec detects it as do many other AV products.

Here's an analysis when it compromised Handlebrake:

https://virustotal.com/en/file/013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793/analysis/

❄️
JamesBrickley 8 Years · 104 comments

Popular?  I've never even heard of "Elmedia Player" nor Folx for that matter.  It's on sale on the Mac App store for $9.99 and is normally $19.99.  Was the copy from the App Store impacted or was it just the free download from the Elmedia website?  Seems to be Russian software...