MacOS Proton backdoor spread via Trojanized Eltima apps

According to security researchers at ESET, A Trojanized version of Elmedia Player software for Mac was available for download for who knows how long from the developer’s official site.

The two malware-infected apps (Eltima Player app and the Folx app), when downloaded, infected users with OSX Proton. The malware is essentially a backdoor that comes with extensive data-stealing and spying abilities. The backdoor malware can steal users’ cookies, history, bookmarks, current timezone, log-in data, cryptocurrency wallets, MacOS keychain data, SSH authentication keys, 1Password data, PGP encryption keys and more.

The compromise came to light on October 19, when cyber security researchers at ESET noticed the Elmedia Player was distributing Proton trojan malware. Users are warned if they downloaded the software from Eltima on that day before 3:15pm EDT, their system has may have been compromised by the malware.

ESET advises anyone who downloaded Elmedia Player or Folx software recently to verify if their system is compromised by testing the presence of any of the following file or directory:

/tmp/Updater.app/
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
/Library/.rand/
/Library/.rand/updateragent.app/

If any of them exists, it means the trojanized Elmedia Player or Folx application was executed and that OSX/Proton is most likely running.

 

Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.