The website of Eltima, a maker of macOS and Windows apps, has been compromised by an unknown actor to spread a trojanized version of Elmedia Player, a multimedia player for macOS.
At the time of writing, it is unclear when attackers hijacked the site and poisoned the Elmedia Player download links, but Eltima cleaned their website on October 19, 3:15 PM EDT after researchers from ESET spotted the malware and contacted the company.
According to ESET, recent versions of the Elmedia Player were bundled with the Proton malware, a remote access trojan for macOS systems that's been sold on underground hacking forums since March this year.
The malware has been deployed in a similar attack before, in May, when another unknown actor compromised the website of the HandBrake macOS transcoder app and bundled Proton with the official app.
Elmedia Player is a very popular multimedia player for Mac, having recently celebrated reaching the one million users milestone.
Proton is also a very powerful malware. The RAT provides a backdoor for the attacker into compromised systems.
An attacker can use Proton to gather various information from infected hosts, such as OS system details, browser passwords, browser cookies, browsing history, data on cryptocurrency wallets, SSH private keys, macOS keychain data, VPN configs, GnuPG data, 1Password data, and more.
In addition, attackers can use Proton to download and execute new malware on infected hosts. A full review of Proton's full capabilities is available in write-ups by Patrick Wardle, Cybereason, and Malwarebytes.
Mac users who recently installed the Elmedia Player can verify if they're infected with the Proton RAT by checking for the existence of the following folders on their machine:
/tmp/Updater.app/ /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist /Library/.rand/ /Library/.rand/updateragent.app/
This is also not the first time a Mac software supplier's website has been hacked. Previously, attackers breached the website of the Transmission BitTorrent client for Mac on two separate occasions. First, they distributed the KeRanger ransomware, and later the Keydnap infostealer malware.