Popular Mac Software is Spreading Advanced Infections

If you’re using either the Elmedia Player or Folx Download Manager, your Mac might need immediate reformatting and re-installation.

Hidden malware is getting distributed via Elmedia Player and Folx download manager. It’s using encryption to help it disappear from conventional anti-virus software. This parasite is being distributed with the latest updates carrying the OSX Proton malware.

Proton Malware first debuted in the threat landscape in 2016. It is a remote access tool which lets hackers access the desktop of any affected user. This malicious code can log keystrokes, activate the user webcam, take screencasts, and launch console commands. It can also mess up your authentication as it affects both SSH and VNC protocols to snoop into everything you do.

This code also proposes other malicious code, which shows up as browser popups and click bait. These links ask for the user’s information- login details, credit card numbers and even personal information.

ESET security experts have discovered that the Proton malware has spread through supply chain attacks. This means that the attackers have encrypted the bad code into application installs and downloads. They found out that Eltima, who has crafted the Elmedia Player software was at fault. Eltima is unknowingly distributing a trojanized app version carrying the OSX/Proton malware.

Eltima positively responded to ESET’s alert and has cooperated to find a way to troubleshoot the issue.

From a recent statement, ESET found out that the hacktivists have manipulated the developer servers. Having unrestricted access, they injected the Proton Malware, infecting the download files.

The trojanized package was first issued October 19th, and Eltima was able to resolve it at 3:10 pm the same day. Meanwhile, Eltima also published a statement about Folx infection.

[Advanced Instructions] In order for you to check if your device is infected, scan it and look for the following:

/tmp/Updater.app/
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
/Library/.rand/
/Library/.rand/updateragent.app/

“The presence of any of the files above is an indication that your system may have been infected by the trojanized Elmedia Player or Folx application which means your OSX/Proton is most likely running. If you downloaded Elmedia Player or Folx on the 19th of October 2017, your system is likely affected.” Eltima published on their security announcement.

If any of these files are visible, then your computer is infected with Proton Malware. An antivirus software may detect it, but wouldn’t be capable of wiping it off. You need to reformat the computer to wipe the disk clean and reinstall everything.

This Proton Malware can seep into any iCloud account, regardless of the two-factor authentication process.