“Downloads of a popular Mac OSX [sic] [recte macOS] media player and an accompanying download manager were infected with trojan malware after the developer’s servers were hacked,” Danny Palmer reports for ZDNet.

“Elmedia Player by software developer Eltima boasts over one million users, some of whom have may have also unwittingly installed Proton, a Remote Access Trojan which specifically targets Macs for the purposes of spying and theft,” Palmer reports. “Attackers also managed to compromise a second Eltima product – Folx – with the same malware.”

“The Proton backdoor provides attackers with an almost full view of the compromised system, allowing the theft of browser information, keylogs, usernames and passwords, cryprocurrency wallets, macOS keychain data and more,” Palmer reports. “The compromise came to light on October 19, when cyber security researchers at ESET noticed the Elmedia Player was distributing Proton trojan malware. Users are warned if they downloaded the software from Eltima on that day before 3:15pm EDT, their system has may have been compromised by the malware.”

Read more in the full article here.

MacDailyNews Take: Yet another good reason to stick to Apple’s Mac App Store whenever possible!

ESET advises anyone who downloaded Elmedia Player or Folx software recently to verify if their system is compromised by testing the presence of any of the following file or directory:

/tmp/Updater.app/
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
/Library/.rand/
/Library/.rand/updateragent.app/

If any of them exists, it means the trojanized Elmedia Player or Folx application was executed and that OSX/Proton is most likely running. If you have downloaded that software on October 19th before 3:15pm EDT and run it, you are likely compromised.

According to ESET, “As with any compromission with a administrator account, a full OS reinstall is the only sure way to get rid of the malware. Victims should also assume at least all the secrets outlined in the previous section are compromised and take appropriate measures to invalidate them.”

More info here.