OSX Proton: Mac malware that allows hackers to spy and steal data spreading via hacked Eltima apps
The same Mac malware was previously spread by hackers via a popular Mac OS app called HandBrake.
A powerful Mac malware known as OSX Proton was distributed by hackers to Apple users earlier in the week. The hackers managed to hack the servers of software developer Eltima, which boasts of one million users, and managed to infect two of its products – the Eltima Player app and the Folx app – with the Mac malware.
The two malware-infected apps, when downloaded, infected users with OSX Proton. The malware is essentially a backdoor that comes with extensive data-stealing and spying abilities. The backdoor malware can steal users' cookies, history, bookmarks, current timezone, log-in data, cryptocurrency wallets, MacOS keychain data, SSH authentication keys, 1Password data, PGP encryption keys and more.
According to security researchers at ESET, who uncovered the attack, hackers breached Eltima on Thursday (19 October) but were discovered fairly quickly by ESET, who reported the breach to Eltima.
An Eltima spokesperson told ZDNet that the malware was distributed with downloads after the company's servers got "hacked" after attackers "used a security breach in the tiny_mce JavaScript library on our server".
The app installers infected with the remote access Trojan (RAT) were available on Eltima's website for around 24 hours. Around 1,000 users are believed to have been infected with the malware, after downloading the malicious installers from Eltima's website, Motherboard reported.
"If you have downloaded that software on October 19th before 3:15pm EDT and run it, you are likely compromised," ESET researchers said in a blog. "As far as we know, only the version downloaded from the Eltima website contains the trojanized application."
"In the current case of Eltima trojanized software, the attacker built a signed wrapper around the legitimate Elmedia Player and Proton. In fact, we observed what seems to be real-time repackaging and signing of the wrappers, all with the same valid Apple Developer ID," ESET researchers said, adding that Apple revoked the certificate.
For those infected by OSX Proton, the only way to get rid of the malware is to perform a full OS reinstall.
According to ESET researchers OSX Proton is sold on the dark web. The malware was previously spread by hackers via a popular Mac OS app called HandBrake. Motherboard reported that evidence may indicate that the new attack may have been perpetrated by the same hackers behind the HandBrake attack.
"In order to compromise Macs, attackers need a way to get malicious applications onto them, and hacking into a legitimate developer's website to surreptitiously trojanize a popular app is a great way to achieve this," Patrick Wardle, Apple security expert and director of Synack told Motherboard. "We've seen attackers use this mechanism before, so it won't be surprising if they continue to rely on this attack vector."
