Posted on October 21, 2017 at 6:49 PM
Hackers used a malware-infected media player to compromise Mac operating systems.
Security researchers recently revealed that malicious attackers managed to infiltrate and compromise the website of a company that develops popular apps for Macs. This caused hundreds of users to download infected software.
The incident was reported last Friday by security researchers from the antivirus firm, ESET. According to their report, a free version of the popular media player software, Elmedia Player was made available by Eltima Software’s website. However, this software contained a malware Trojan, OSX/Proton, which is a notorious data-stealing Trojan.
This malware Trojan was also distributed earlier this year, using a different popular macOS software, HandBrake.
According to Eltima, hackers were able to insert a Trojan in one of their other applications as well, this application, called Folx, is an internet download manager which simultaneously operates as a BitTorrent client.
Once the malware has infiltrated an operating system, the Proton malware can effectively steal a huge amount of sensitive data from the infected machine, including browser history, cookies, bookmarks, log-in credentials, cryptocurrency wallet information, macOS keychain data, Tunnelblick VPN, configuration data, PGP encryption keys, as well as all information stored in 1Password.
Statistics from 1 August revealed that Elmedia Player has just over one million users. Eltima Software has both free and paid versions of their software that has been made available on both their website and the Mac App Store.
A spokesperson from Eltima Software has confirmed that the malware-infected apps seemed to only affect users who downloaded the apps for the first time. The Proton Trojan did not affect, updates on already downloaded software.
The security breach took place on last week Thursday and the security team from Eset picked up on the breach quickly and reported it on Friday. ESET proceeded to report the incident directly to Eltima. Up until the report, however, the malware was active for just over 24 hours and had over 1000 downloads.
The ESET research team confirmed that all users who downloaded and executed the software before 19 October at 3.15 PM EST are likely to be affected.
The Friday morning following the attack, Eltima announced via their website that both affected apps were safe to install and execute.
While the hackers were not digitally signed with the software developer’s Apple certificate, they did appear to have a different developer ID under the name of Clifton Grimm. At this time, it is still unclear whether this certificate was obtained using a fake identity, or if the hackers stole another developer’s certificate.
According to Patrick Wardle, director of research at Synack, as well as a macOS expert confirmed that Gatekeeper, Apple’s primary defense against hackers, allows for signed binaries to execute code without warning by default. Due to this system, the majority of Mac malware is currently being signed with either stolen or fraudulent certificates. According to Wardle, more often than not, the certificates are fraudulent.
Wardle stated that Apple has an obvious problem with ensuring that only legitimate developer IDs are issued.
Since ESET’s reported, Apple has revoked the Clifton Grimm Developer ID. Users who downloaded the affected malware, have been notified to update their software to avoid any further attack.