HandBrake is an often-used free tool for editing and converting video files on macOS machines, but anyone who downloaded it last week may have unwittingly infected their Macs with malware. Online criminals replaced the HandBrake installer with the Proton remote-access Trojan (RAT), which gains complete control of your system and can also steal passwords stored on your Mac.
On Saturday (May 6) HandBrake's developers posted a note on their forums explaining that those who downloaded the program from a specific mirror server between May 2 and May 6 "have [a] 50/50 chance" of being infected by the RAT. That mirror server, download.handbrake.fr, had been compromised.
MacRumors forum poster Gannet described how the malware tried to infect his computer. As is often the case with Mac malware, user assistance is requires for the attack to succeed: The phony installer attempts to gain full-system control by asking for your username and password to "install additional codecs." This serves as a reminder to always think critically when you get a system prompt for your password, but on the other hand, it's precisely what you'd expect the genuine HandBrake installer to do.
The infected downloadable disk image, HandBrake-1.0.7.dmg, was replaced by a malicious file that uses a variant of the OSX.PROTON malware. While it's easy to remove this malware, affected users face a bigger problem with their passwords. The malware has access to login credentials stored in the macOS KeyChain app, as well as to passwords stored by web browsers. (We recommend that users not let browsers store sensitive passwords.)
How to tell if you're infected, and what to do
First, open the Activity Monitor app on your Mac, which is stored in the Utilities folder of the Applications directory. If you see a listed process named "Activity_agent", we're sorry, you're infected.
Time to eradicate this pestilence. Open the Terminal application (also found in the Utilities folder) and then copy and paste each of the following commands in (without the quotation marks), hitting Return after each. (If the Terminal says you're not authorized, then type "sudo" before the first command and log in using the password of a user authorized to install and delete software on the Mac.)
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app
The last command lists the files in a certain directory. If one of those files is named proton.zip, then copy and paste the following text string into Terminal, and hit Return to remove the file. (HandBrake recommends deleting the entire VideoFrameworks folder, but we're not sure whether that's a good idea.)
rm -rf ~/Library/VideoFrameworks/proton.zip
Then, hit Command+Space to open Spotlight search and type "handbrake.app" in. Scroll down to the bottom of the results and click "See all results." In the subsequent window, look for all instances of the Handbrake app, and delete each. Then command-click the recycling bin icon, and select Empty Trash.
What about my passwords?
Open Keychain from the aforementioned Utilities folder to view your stored passwords. Change the passwords on every account listed, as the Proton RAT had access to your Keychain.
You'll need to do the same for all the passwords saved by your web browsers. To view those stored by Safari, click on Safari in the menu bar, select Preferences and click Passwords.
In Chrome, navigate to chrome://settings/passwords to see them. For Firefox, you'll find them by navigating to about:preferences#security clicking Saved Logins. as well as saved login credentials for your web browsers.