Mac owners who have recently downloaded Elmedia Player or Folx from Eltima Software may have unwittingly installed malware on their machines, reports ZDNet.
Downloads of Folx and Elmedia player were infected with Proton, a Remote Access Trojan, after Eltima's servers were hacked. The Proton backdoor lets attackers access browser information, keylogs, usernames, passwords, macOS keychain data, and more.
In an email to ZDNet, an Eltima spokesperson said that the malware was distributed with downloads as a result of their servers being "hacked" after attackers "used a security breach in the tiny_mce JavaScript library on our server."
The compromised software was discovered on October 19, and customers who downloaded software from Eltima on that date before 3:15 p.m. Eastern Time may be affected by the malware. The following files will be found on an infected system:
- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/
Apple and Eltima have disabled the developer ID that was used to sign the Proton-infected software bundle, and Eltima is working with Apple to figure out what happened.
Anyone who was impacted by the malware will need to reinstall macOS to get rid of it. Eltima says it has taken action to prevent against further attacks and improve its server security. Clean versions of Elmedia Player and Folx are now available from the Eltima website.
Top Rated Comments
Anyone who was impacted by the malware will need to reinstall macOS to get rid of it.
That is a heck of a removal procedure. Is there really no way to purge this without a full OS reinstall?Clean versions of Elmedia Player and Folx are now available from the Eltima website.
optimistic thinking. No one’s downloading this anymore even if it’s fixed.I had Transmission, their servers got infected.
Please tell us what other software you use :pI had Handbrake, their servers got infected.
I was trying out Elmedia Player, their servers got infected.
.. This is why I only use AppStore apps now. Apple's vetting may not be 100% accurate, but at least they have a vetting process.
Luckily my needs are not very complicated, so I can usually find alternatives on the AppStore.
So I guess they are just checking out Apple‘s internal procedures for further infiltration now. :eek:
Of course, if they‘re not the dark hats themselves, they are a perfect target due the same reasons...
But then their strange office address...
Ah, have to hide...
</tinfoil>
[doublepost=1508539800][/doublepost]
That is a heck of a removal procedure. Is there really no way to purge this without a full OS reinstall?
Presumably since this is a Trojan backdoor, not only can they control your system remotely, stealing your passwords, files etc, but they can install anything anywhere they want, and you have no way of knowing what, hence a clean install is the only way to be sure.Anyone who was impacted by the malware will need to reinstall macOS to get rid of it.
That is a heck of a removal procedure. Is there really no way to purge this without a full OS reinstall?
No kidding. I think that's a bit extreme, too. Likely just removing the files and restarting is enough, unless the infection is deeper.