Home   Support Blog   Mac malware OSX.Proton strikes again

Mac malware OSX.Proton strikes again

The hackers responsible for the Mac malware OSX.Proton have struck again, this time infecting a copy of the Elmedia Player app that was being distributed from the official Eltima website. At this time, it is still unknown how long their website was providing the hijacked app.

Proton was silently added to Apple’s XProtect definitions in early March, and not much was known about it at the time. Then, in May, one of the servers responsible for distributing the popular Handbrake software was hacked, resulting in the distribution of a Proton-infected copy of Handbrake for a four-day period. Now, Eltima Software has fallen victim to a similar attack.

Researchers discovered the trojanized copy of Elmedia Player and Eltima Software eliminated the malware from their servers by that afternoon. However, an unknown number of people have already downloaded the malicious copy of Elmedia Player and will be infected with Proton.

The malicious Elmedia Player app looks completely legitimate, even when opened. This is because the Trojanized app is actually a wrapper, containing the real Elmedia Player application. When the malicious wrapper is opened, it opens the legitimate app as a cover to make it seem like everything is working as expected.

In the following screenshot, you can see the contents of the legitimate Elmedia Player app in the lefthand window, compared to the malicious wrapper app on the right.

This is a bit different than the technique used to Trojanize Handbrake. In the case of Handbrake, the software is open source, so the hackers were able to actually compile a malicious copy of the Handbrake app that installed the Proton malware, but otherwise behaved normally.

In this case, however, Elmedia Player is not open source, so the hackers changed their methods to open an untampered copy of the real application. This means that the malicious app is treated as more of a background process, hidden from the Dock and the Force Quit window, eliminating one potential cause for user suspicion.

For those with affected business machines, you need to alert your IT admins immediately. This malware may have given the hackers the keys needed to access some or all of your company’s internal resources, which could lead to your company suffering from a breach—possibly one that results in your company spreading another variant of Proton if you work at a software company.

If people act quickly to remediate, they can lessen the impact of this particular malware and stop the infection from spreading.