When Your Media Player Watches You – Trojan Infects Software Downloads for Macs

By on

Users downloading a media player to watch videos on their Macs ended up being watched by cybercriminals using Trojan malware to spy on victims’ operating systems.

Unfortunately, that’s the case for the popular Mac OSX media player, Elmedia Player. A trojanized version of the program has hit the scene as a result of the developer’s servers being hacked by cybercriminals.

It all started when a Remote Access Trojan (RAT), named Proton, snuck into the developer’s servers via a breach in their JavaScript library. From there, the threat was able to actually live on the developers official site for a period of time. Seemingly complete legitimate, the trojanized player was ready for download, which translates to: ready to infect any innocent user that may stumble across it.

The compromised package was created in order to deliver the latest version of the Proton backdoor on a broad scale. Proton is a Trojan that poses as legitimate programs or files, such as Elmedia Player, in order to trick and entice users into unknowingly running it. Upon being launched, the Proton backdoor provides attackers with an almost full view of the compromised system, allowing the theft of browser information, keylogs, usernames and passwords, cryprocurrency wallets, macOS keychain data and more.

Users have been warned that if they downloaded the software prior to the October 19th disclosure (after which Eltima Software removed the program from the site), they run the risk of having their system infected by the malware. And since Elmeida boasts over one million users, it’s crucial we all start looking towards next steps.

Users can start by seeing if any of the following files or directories are on their system, which would mean the trojanized version of Elmedia Player has been installed:

  • /tmp/Updater.app/
  • /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
  • /Library/.rand/
  • /Library/.rand/updateragent.app/

If a user is in fact infected, the next step would be to undergo a full OS re-installation. And for Elmedia Player users who are wishing to run the program safely once more, fear not. Users are now able to download a clean version of Elmedia Player from the Eltima website, which has said to be now free of compromise.

To learn more about this Trojan, and others like, be sure to follow @McAfee and @McAfee_Business.

Leave a Comment

Similar articles

If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and ...
Read Blog
Cryptocurrency mining is the way transactions are verified and added to the public ledger, a database of all the transactions made around a particular piece of cryptocurrency. Cryptocurrency miners compile all of these transactions into blocks and try to solve complicated mathematical problems to compete with other miners for bitcoins. To do this, miners need ...
Read Blog
The authors thank their colleagues Oliver Devane and Deepak Setty for their help with this analysis. McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies. Coin mining malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background ...
Read Blog