If you visited the HandBrake download site between 2-6 May 2017, there is an even chance that instead of obtaining a legitimate copy of that app, you actually ended up with a hacked version containing a new variant of the Trojan OSX.Proton.B. Full details of this have been published by Patrick Wardle of Objective-See, who points out that no conventional ‘anti-virus’ products detect this new malware.
Proton first appeared in an A variant in February 2017, when it was offered for sale on a message board and its own website. It allegedly allows an attacker to take full control of an infected Mac remotely, giving access to the camera, recording keystrokes and screenshots, uploading user files, and installing additional malware. As a remote-access tool (RAT), it would normally be deployed in targetted attacks, rather than from a public download site.
This variant is distinguished by installing a LaunchAgent Property List file named fr.handbrake.activity_agent.plist in ~/Library/LaunchAgents, which launches an app named activity_agent.app placed in ~/Library/RenderFiles. Objective-See’s BlockBlock detects this very easily as a result of those measures to make the malware persistent, but other security products fail to notice that anything is amiss.
Apple is apparently in the process of pushing another update to XProtect which should detect OSX.Proton.B (OSX.Proton.A has been covered since March), but as yet that update has not reached much of the world. It is too late to provide any protection for those Mac users who are already infected.
Patrick also points out that the XProtect signature is highly specific to the variant which has been distributed. A very small change to the malware would enable that protection to be bypassed completely.
Full details are on the Objective-See blog.
Thanks to Patrick Wardle for alerting us of this.