Detections
Analytics

HandBrake OSX/Proton.B Trojan Backdoor (macOS)

critical Nessus Plugin ID 100128

Language:

Synopsis

An application installed on the remote macOS or Mac OS X host is affected by a trojan.

Description

According to its binary checksum, the version of HandBrake installed on the remote macOS or Mac OS X host is affected by the OSX/Proton.B trojan backdoor. HandBrake was briefly distributed with the trojan due to a compromised mirror hosting the software. An unauthenticated, remote attacker can exploit this to exfiltrate sensitive information, download malicious files, and execute arbitrary code.

Solution

To remove the infected application, open the Terminal application and run the following commands :

 - launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
 - rm -rf ~/Library/RenderFiles/activity_agent.app

Remove the proton.zip archive from the ~/Library/VideoFrameworks/ folder if it exists, and remove any HandBrake.app installs.
Additionally, it is strongly recommended to change all the passwords that reside in your OSX KeyChain and browser password stores.

See Also

https://forum.handbrake.fr/viewtopic.php?f=33&t=36364

Plugin Details

Severity: Critical

ID: 100128

File Name: macosx_handbrake_backdoor.nasl

Version: 1.5

Type: local

Agent: macosx

Published: 5/11/2017

Updated: 12/21/2022

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Score based on an in depth analysis by tenable.

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: x-cpe:/a:handbrake:handbrake

Required KB Items: Host/local_checks_enabled, Host/MacOSX/Version, installed_sw/HandBrake

Patch Publication Date: 5/6/2017

Vulnerability Publication Date: 5/6/2017