Hackers compromised a download server for a popular media-encoding software named HandBrake and used it to push stealthy malware that stole victims’ password keychains, password vaults, and possibly the master credentials that decrypted them, security researchers said Monday. Over a four-day period ending Saturday, a download mirror located at download.handbrake.fr delivered a version of the DVD ripping and video conversion software that contained a backdoor known as Proton, HandBrake developers warned over the weekend.
Proton is a full-featured, professionally developed Mac malware that sells for as much as $63,000 on dark-Web crime forums. It’s a general-purpose backdoor that offers a range of features, including keylogging, remote login access, the ability to take and upload webcam and screenshot videos and images, and the ability to steal stored files. An earlier version of Proton shipped with a valid code-signing signature that Apple uses to certify the trustworthiness of third-party software, according to this analysis from security firm Sixgill. Earlier this year, Apple developers updated macOS to automatically detect that version, Reed said.