Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Eltima Software's Elmedia Player and Folx Infected With Malware

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,545
39,400



Mac owners who have recently downloaded Elmedia Player or Folx from Eltima Software may have unwittingly installed malware on their machines, reports ZDNet.

Downloads of Folx and Elmedia player were infected with Proton, a Remote Access Trojan, after Eltima's servers were hacked. The Proton backdoor lets attackers access browser information, keylogs, usernames, passwords, macOS keychain data, and more.

elmediaplayer-800x500.jpg
In an email to ZDNet, an Eltima spokesperson said that the malware was distributed with downloads as a result of their servers being "hacked" after attackers "used a security breach in the tiny_mce JavaScript library on our server."
Click to expand...
The compromised software was discovered on October 19, and customers who downloaded software from Eltima on that date before 3:15 p.m. Eastern Time may be affected by the malware. The following files will be found on an infected system:

- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/

Apple and Eltima have disabled the developer ID that was used to sign the Proton-infected software bundle, and Eltima is working with Apple to figure out what happened.

Anyone who was impacted by the malware will need to reinstall macOS to get rid of it. Eltima says it has taken action to prevent against further attacks and improve its server security. Clean versions of Elmedia Player and Folx are now available from the Eltima website.

Article Link: Eltima Software's Elmedia Player and Folx Infected With Malware
 
Article Link
https://www.macrumors.com/2017/10/20/eltima-software-infected-with-malware/
miscend said:
Does this affect those that downloaded Elmedia from the app store?
Click to expand...
It sounds like not, since according to Eltima, "Only Elmedia Player and Folx version downloaded from our official Eltima website was infected by this malware. However, the built-in automatic update mechanism is unaffected based on the data available to our cybersecurity experts."

Also note that the App Store version hasn't been updated since Jul 3.
 
  • Like
Reactions: camelia
A timely reminder for me to do a complete system backup with Carbon Copy Cloner, which I was gonna do anyway before upgrading my system. Of course, if I had been infected, it would have been too late, if the only remedy is to reinstall. Drastic measure. At least, once done, you have a clean bootable system to revert to.
[doublepost=1508539800][/doublepost]
Makosuke said:
That is a heck of a removal procedure. Is there really no way to purge this without a full OS reinstall?
Click to expand...
Presumably since this is a Trojan backdoor, not only can they control your system remotely, stealing your passwords, files etc, but they can install anything anywhere they want, and you have no way of knowing what, hence a clean install is the only way to be sure.
 
  • Like
Reactions: camelia, Aquamite and fairuz
msandersen said:
A timely reminder for me to do a complete system backup with Carbon Copy Cloner, which I was gonna do anyway before upgrading my system. Of course, if I had been infected, it would have been too late, if the only remedy is to reinstall. Drastic measure. At least, once done, you have a clean bootable system to revert to.
[doublepost=1508539800][/doublepost]
Presumably since this is a Trojan backdoor, not only can they control your system remotely, stealing your passwords, files etc, but they can install anything anywhere they want, and you have no way of knowing what, hence a clean install is the only way to be sure.
Click to expand...
Agreed. If I ever found that my computer was infected, I'd reformat the boot disk, create a new user, and migrate stuff manually. Not taking any chances. It's also not really that hard to do. The hard part might be changing all your important passwords if you think they were stolen.

By the way, how does this get into your Keychain?
 
  • Like
Reactions: camelia
...attackers "used a security breach in the tiny_mce JavaScript library on our server...
Click to expand...

Wait, isn't that a client-side JavaScript library (i.e. it runs on the web browser)? How would this allow a hacker to gain access to a remoter server?
 
  • Like
Reactions: camelia
Since I already suspected Eltima of being some agency outlet, since their software portfolio seems too good and diverse to be true and with deep roots into the system and network level while regularly lacking the last bit of polish, I am not surprised. :cool:

So I guess they are just checking out Apple‘s internal procedures for further infiltration now. :eek:

Of course, if they‘re not the dark hats themselves, they are a perfect target due the same reasons...

But then their strange office address...

Ah, have to hide...

</tinfoil>
 
Last edited:
  • Like
Reactions: blessed7, camelia, Deuce2 and 3 others
I have Elmedia Player on my Mac, downloaded it few months ago and I don't have any problems with my Mac now. From the information I've found is that the problem of malware touches just the Mac users that could download infected dmg file on 19 October during some hours, the problem was solved fast enough and the most part of resources already announced that everything is ok already (like welivesecurity.com), so there is nothing to worry about.
 
I use Little snitch to disallow any internet traffic I don't trust, it's set to only allow acces to the internet when a VPN is active, even if I got this malware I see what's going on and won't allow incoming nor outgoing acces to my Mac.
It's not waterproof but much better than without LS and a VPN.
 
  • Like
Reactions: camelia and terryzx
mkeeley said:
Why isn't this the top story and not just on the sidebar where it might be overlooked?
Click to expand...

Maybe just because it's not so widespread unlike Crack WPA, it seems this malware was downloadable for a very short time only and for an App which isn't so popular, the Appstore App wasn't affected, only the one which was on their own servers.
 
  • Like
Reactions: camelia
I had Transmission, their servers got infected.
I had Handbrake, their servers got infected.
I was trying out Elmedia Player, their servers got infected.

.. This is why I only use AppStore apps now. Apple's vetting may not be 100% accurate, but at least they have a vetting process.

Luckily my needs are not very complicated, so I can usually find alternatives on the AppStore.
 
  • Like
Reactions: camelia and ikir
MacRumors said:



Mac owners who have recently downloaded Elmedia Player or Folx from Eltima Software may have unwittingly installed malware on their machines, reports ZDNet.

Downloads of Folx and Elmedia player were infected with Proton, a Remote Access Trojan, after Eltima's servers were hacked. The Proton backdoor lets attackers access browser information, keylogs, usernames, passwords, macOS keychain data, and more.

elmediaplayer-800x500.jpg
The compromised software was discovered on October 19, and customers who downloaded software from Eltima on that date before 3:15 p.m. Eastern Time may be affected by the malware. The following files will be found on an infected system:

- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/

Apple and Eltima have disabled the developer ID that was used to sign the Proton-infected software bundle, and Eltima is working with Apple to figure out what happened.

Anyone who was impacted by the malware will need to reinstall macOS to get rid of it. Eltima says it has taken action to prevent against further attacks and improve its server security. Clean versions of Elmedia Player and Folx are now available from the Eltima website.

Article Link: Eltima Software's Elmedia Player and Folx Infected With Malware
Click to expand...


Hello, everyone!


We are very sorry that such thing happened with our apps.


On the 19-th of October we were contacted by the malware research company ESET, reporting that our servers had been hacked and we distributed malware in DMG files of two our apps: Folx and Elmedia Player.


Hackers used a security breach in the tiny_mce JavaScript library on our server.


Only the version downloaded from our website contained the trojanized application. The built-in automatic update mechanism is unaffected.


The Mac App Store version was not infected and remains safe.


We worked with ESET Team and Apple representatives and made all the necessary actions to stop the distribution of this Malware successfully.


We now officially announce that it is absolutely safe to download Elmedia Player, Folx, and other Eltima Software applications by users.
 
  • Like
Reactions: ikir
miscend said:
Does this affect those that downloaded Elmedia from the app store?
Click to expand...
No. It's safe.

Makosuke said:
That is a heck of a removal procedure. Is there really no way to purge this without a full OS reinstall?
Click to expand...
Esete recommends to do a system check to confirm if your system was compromised or no. Then it will be slear if it's necessary to reinstall OS.

justperry said:
Maybe just because it's not so widespread unlike Crack WPA, it seems this malware was downloadable for a very short time only and for an App which isn't so popular, the Appstore App wasn't affected, only the one which was on their own servers.
Click to expand...

You are right. Malwared player was not widely spreaded. Our urgent actions prevented this.
 
Last edited by a moderator:
allantodd8 said:
You are right. Malwared player was not widely spreaded. Our urgent actions prevented this.
Click to expand...

That doesn't help the people it has infected and it should be a headline because of how serious it is for those people. Also what does not widely mean, 1, 100, 1000, million?
 
  • Like
Reactions: camelia
camelia said:
OMG I download Airy on 19 October from your website, Is my Mac in risk? How do I know????

:eek::eek::eek::eek:
Click to expand...

@camelia
Edit: You downloaded Airy, it is not affected as per the above article
If you downloaded Folx and/or Elmedia Player you might be.

You can read it in the main article on top of this page.

If there are these files in those locations on your disk you are infected.

- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/

Edit:
In Finder click on Go-Go to Folder
Next type in

/tmp/
if Updater.App is there you are infected.
and
/Library/LaunchAgents/
If com.Eltima.UpdaterAgent.plist is there you are infected.
and
/Library/
If .rand/ is there you are infected.
and
/Library/.rand/
If updateragent.app is there you are infected.
 
Last edited:
  • Like
Reactions: camelia
This is getting ridiculous. Devs need better means of data integrity before distributing their software. The worst being the recent CCleaner fiasco, which is ironic considering it’s owned by an anti-virus company now.
 
  • Like
Reactions: camelia
johannnn said:
I had Transmission, their servers got infected.
I had Handbrake, their servers got infected.
I was trying out Elmedia Player, their servers got infected.

.. This is why I only use AppStore apps now. Apple's vetting may not be 100% accurate, but at least they have a vetting process.

Luckily my needs are not very complicated, so I can usually find alternatives on the AppStore.
Click to expand...

Please tell us what other software you use :p
 
  • Like
Reactions: camelia, Shirasaki, Scooz and 2 others
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back