In the background, however, a backdoor was installed, named “activity_agent.” The backdoor was observed contacting 85.17.25.66, which is the IP address that hosts the handbrake website. Once the password is entered, Handbrake will launch and it appears to be business as usual. Under the guise of needing to install additional codecs, a malicious payload is installed instead. The user will drag Handbrake to their Applications folder and launch it.Īt this point, the application does something unusual, which will immediately stick out to long time Handbrake users: It asks for administrator privileges. dmg file as expected, and upon opening the file, nothing suspicious can be seen. It was not distributed on any other websites. Only those that downloaded Handbrake from their mirror server () received the malicious application. Intego VirusBarrier anti-virus identifies and eradicates this malware as OSX/Proton.B. Anyone who downloaded Handbrake between May 2 and May 6 potentially grabbed a version that was infected with malware. Handbrake, a popular open source video encoder, posted on its forums this weekend saying that their mirror download server was compromised. Malware Handbrake’s Server Compromised, Download Installs Complex Trojan
