Hawkish applications lurking in your MacOS environment

Hawkish applications lurking in your MacOS environment

Let’s say you own a Mac, you read our blogs and you want to protect yourself. After installing an antivirus program, it suddenly detects your favorite video transcoder: HandBrake. As this is clearly a false positive, you decide to go about your way and ignore this detection. Well, you might have been infected with the Proton backdoor.

A backdoor is a vulnerability that gives the attacker unauthorized access to a system by bypassing normal security mechanisms. It is a threat that hides and works in the background, making it difficult to detect or remove. Red teams are using backdoors to gain access to systems from remote locations, steal personal information, install unwanted software, or take control of the entire computer.

The Proton threat was present on the HandBrake’s official download site between 02/May/2017 14:30 UTC and 06/May/2017 11:00 UTC. The user would unknowingly download the infected application and install it on their system. Upon running the application, the malicious copy of HandBrake would immediately ask for the admin password. This is strange behavior for a video transcoding application, but such requests are often ignored by the end-users. Proton would then exfiltrate the keychain containing all the passwords and pose as a backdoor for hackers. The Proton threat had the 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 SHA1 checksum that could have been compared against the checksum on the official web site, preventing the infection.

Article Link: https://blog.reversinglabs.com/blog/hawkish-applications-lurking-in-your-macos-environment