Gatekeeper, Apple's first line of defense against malware, allows signed binaries to execute without warning by default, Patrick Wardle, director of research at Synack and a macOS security expert, told me in a Twitter direct message. It's not clear if this certificate was obtained from Apple by using a fake identity or if it was stolen from another developer.
The malicious installers were not digitally signed with Eltima's Apple developer certificate, but with a different developer ID under the name Clifton Grimm. Instead, the hackers just managed to hack into Eltima's website through a vulnerability in a JavaScript-based library called TinyMCE. The attackers don't appear to have compromised the company's development infrastructure, as happened recently with the developer of a Windows application called CCleaner.
On Friday morning, Eltima announced that both apps are now "safe to install and malware-free." "Users who downloaded and executed the software on October 19 before 3:15 PM EDT, are likely compromised," the ESET researchers said. The malicious installers were available on Eltima's website for around 24 hours and were downloaded by almost 1,000 users. The security breach happened Thursday and was discovered relatively fast by ESET who reported the incident to the software developer. "The built-in automatic update mechanism seems to be unaffected." Only the installers for Elmedia Player and Folx downloaded by users from the company's website contained the Proton trojan, an Eltima spokeswoman told me. The company provides free and paid versions of its software programs and distributes them through its website and through the Mac App Store. Read more: What Is a 'Supply Chain Attack?'Įlmedia Player has 1 million users as of August, according to Eltima. The Proton malware is capable of stealing a lot of data from infected computers including history, cookies, bookmarks, and log-in data from browsers cryptocurrency wallets SSH authentication keys macOS keychain data Tunnelblick VPN configuration data PGP encryption keys and data stored in 1Password, a password management application. Eltima told me in an email that hackers also managed to trojanize one of the company's other applications, an internet download manager called Folx that also acts as a BitTorrent client.
0 kommentar(er)
