Eltima Software's Elmedia Player and Folx Infected With Malware

[justperry]

This is getting ridiculous. Devs need better means of data integrity before distributing their software. The worst being the recent CCleaner fiasco, which is ironic considering it’s owned by an anti-virus company now.

Agreed, it's soooo simple to just check the integrity before each download yet we still see this again and again.
Computers nowadays are so fast that an integrity check shouldn't take too long

Please tell us what other software you use

LOL, I just.....

 

[ApfelKuchen]

This is getting ridiculous. Devs need better means of data integrity before distributing their software. The worst being the recent CCleaner fiasco, which is ironic considering it’s owned by an anti-virus company now.

I'm not going to disagree with the basic premise, but I'm not sure it's "ridiculous" that this can happen. Whether we're talking about medieval battlements or web servers, attackers will attack and will sometimes succeed. Many an "impregnable" fortress has eventually fallen.

Like bank vaults, the expense invested to protect the contents of a server will be limited by the value of those contents. A small, independent developer's site is protected as much by its relative obscurity/value as a vector of infection as it is by whatever defenses are arrayed by its operator. A vault as valuable as Apple's is going to invite attack, but the defenses arrayed ought to be commensurate with that value.

Though developers complain about Apple's 30% cut, they're paying for a bundle of services from Apple - not only the retailer's cut for attracting buyers and transacting the sale, but also security services, bandwidth, credit card fees, etc. Operating your own commerce site is hardly a cost-free or risk-free endeavor.

 

[camelia]

@camelia
Edit: You downloaded Airy, it is not affected as per the above article
If you downloaded Folx and/or Elmedia Player you might be.

You can read it in the main article on top of this page.

If there are these files in those locations on your disk you are infected.

- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/

Edit:
In Finder click on Go-Go to Folder
Next type in

/tmp/
if Updater.App is there you are infected.
and
/Library/LaunchAgents/
If com.Eltima.UpdaterAgent.plist is there you are infected.
and
/Library/
If .rand/ is there you are infected.
and
/Library/.rand/
If updateragent.app is there you are infected.

Thanks! Anyway I check all the folders you provide and found nothing!

My heart beats like a drum when I read the post, And for further references in the future...

if I were infected with a malware, Recovering my macOS with a Carbon Copy Cloner backup will solve the problem
or I will need to download macOS High Sierra again and Install from 0 all the apps I had????

OR it depends of the malware?

Came

 

[UL2RA]

I'm not going to disagree with the basic premise, but I'm not sure it's "ridiculous" that this can happen. Whether we're talking about medieval battlements or web servers, attackers will attack and will sometimes succeed. Many an "impregnable" fortress has eventually fallen.

Like bank vaults, the expense invested to protect the contents of a server will be limited by the value of those contents. A small, independent developer's site is protected as much by its relative obscurity/value as a vector of infection as it is by whatever defenses are arrayed by its operator. A vault as valuable as Apple's is going to invite attack, but the defenses arrayed ought to be commensurate with that value.

Though developers complain about Apple's 30% cut, they're paying for a bundle of services from Apple - not only the retailer's cut for attracting buyers and transacting the sale, but also security services, bandwidth, credit card fees, etc. Operating your own commerce site is hardly a cost-free or risk-free endeavor.

I don't think it's ridiculous that this can happen. It's ridiculous how much it's happening. It's getting more and more frequent.

 

[ApfelKuchen]

I don't think it's ridiculous that this can happen. It's ridiculous how much it's happening. It's getting more and more frequent.

I'm not sure about the frequency, you may be right, or it may be perception. These things do tend to go in streaks, though. For example, a particular vulnerability may be exploited a number of times before most site operators address it. There's going to be an "easy pickings" period at the beginning, until searching for sites with that hole reaches a point of diminishing returns.

 

[Isamilis]

Very sorry that this can happen to your server. But, I also sense advertising of ESET company in Mac world, don't I?

Hello, everyone!


We are very sorry that such thing happened with our apps.


On the 19-th of October we were contacted by the malware research company ESET, reporting that our servers had been hacked and we distributed malware in DMG files of two our apps: Folx and Elmedia Player.


Hackers used a security breach in the tiny_mce JavaScript library on our server.


Only the version downloaded from our website contained the trojanized application. The built-in automatic update mechanism is unaffected.


The Mac App Store version was not infected and remains safe.


We worked with ESET Team and Apple representatives and made all the necessary actions to stop the distribution of this Malware successfully.


We now officially announce that it is absolutely safe to download Elmedia Player, Folx, and other Eltima Software applications by users.

 

[Shirasaki]

I had Transmission, their servers got infected.
I had Handbrake, their servers got infected.
I was trying out Elmedia Player, their servers got infected.

.. This is why I only use AppStore apps now. Apple's vetting may not be 100% accurate, but at least they have a vetting process.

Luckily my needs are not very complicated, so I can usually find alternatives on the AppStore.

That is super good for you.
For me, 90% of apps are just can’t be found in App Store (MATLAB, Microsoft office, wine, adobe series, just name a few). Maybe I have not been infected yet. Idk.

 

[justperry]

Thanks! Anyway I check all the folders you provide and found nothing!

My heart beats like a drum when I read the post, And for further references in the future...

if I were infected with a malware, Recovering my macOS with a Carbon Copy Cloner backup will solve the problem
or I will need to download macOS High Sierra again and Install from 0 all the apps I had????

OR it depends of the malware?

Came

Sorry for the late reply, I am on the other side of the ocean.

If you have a CCC backup from before the event you can use that one to get rid of any malware, BUT, there's one problem here, if they got into your keychain or they get information from Safari like login names and passwords you still have to change them.

But, you are OK this time, first of all you didn't download the infected App and there were no infected files in that location so you are fine.

 

[Xgm541]

Since I already suspected Eltima of being some agency outlet, since their software portfolio seems too good and diverse to be true and with deep roots into the system and network level while regularly lacking the last bit of polish, I am not surprised.

So I guess they are just checking out Apple‘s internal procedures for further infiltration now.

Of course, if they‘re not the dark hats themselves, they are a perfect target due the same reasons...

But then their strange office address...

Ah, have to hide...

</tinfoil>

What does your first point about lacking the final polish have to do with anything?

 

[camelia]

optimistic thinking. No one’s downloading this anymore even if it’s fixed.

This is very true, In fact I am planning to delete it from my CCC backup!

I use Little snitch to disallow any internet traffic I don't trust, it's set to only allow acces to the internet when a VPN is active, even if I got this malware I see what's going on and won't allow incoming nor outgoing acces to my Mac.
It's not waterproof but much better than without LS and a VPN.

I also bought a License for Little snitch, but to be honest.. I am still learning how to use it, the learning curve isn't easy

Sorry for the late reply, I am on the other side of the ocean.

If you have a CCC backup from before the event you can use that one to get rid of any malware, BUT, there's one problem here, if they got into your keychain or they get information from Safari like login names and passwords you still have to change them.

But, you are OK this time, first of all you didn't download the infected App and there were no infected files in that location so you are fine.

Thank you very much for your extremely useful information! , About malwares in a Mac, I am the newbies on the block , I have more questions but I am afraid to ask

Since I already suspected Eltima of being some agency outlet, since their software portfolio seems too good and diverse to be true and with deep roots into the system and network level while regularly lacking the last bit of polish, I am not surprised.

So I guess they are just checking out Apple‘s internal procedures for further infiltration now.

Of course, if they‘re not the dark hats themselves, they are a perfect target due the same reasons...

But then their strange office address...

Ah, have to hide...

</tinfoil>

I am not surprised about their software portfolio, but hiding their address where are they located? Russia, Germany maybe in a private island?

 

[allantodd8]

That doesn't help the people it has infected and it should be a headline because of how serious it is for those people. Also what does not widely mean, 1, 100, 1000, million?

We really reached 1Mln users in August 2017. But infected build was available for downloading only several hours from 8 a.m till 3.15 p.m EDT. So all previous downloads and installs are absolutely safe.
[doublepost=1508751190][/doublepost]

@camelia
Edit: You downloaded Airy, it is not affected as per the above article
If you downloaded Folx and/or Elmedia Player you might be.

You can read it in the main article on top of this page.

If there are these files in those locations on your disk you are infected.

- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/

Edit:
In Finder click on Go-Go to Folder
Next type in

/tmp/
if Updater.App is there you are infected.
and
/Library/LaunchAgents/
If com.Eltima.UpdaterAgent.plist is there you are infected.
and
/Library/
If .rand/ is there you are infected.
and
/Library/.rand/
If updateragent.app is there you are infected.

As Eltima repesentative I confirm that Airy was not infected. It's safe for downloading and using.
[doublepost=1508751283][/doublepost]

Does this affect those that downloaded Elmedia from the app store?

App Store version was not hacked.
[doublepost=1508751534][/doublepost]It's our official address of registration.
[doublepost=1508751601][/doublepost]

Since I already suspected Eltima of being some agency outlet, since their software portfolio seems too good and diverse to be true and with deep roots into the system and network level while regularly lacking the last bit of polish, I am not surprised.

So I guess they are just checking out Apple‘s internal procedures for further infiltration now.

Of course, if they‘re not the dark hats themselves, they are a perfect target due the same reasons...

But then their strange office address...

Ah, have to hide...

</tinfoil>

It's our official registration address.
[doublepost=1508752154][/doublepost]

This is very true, In fact I am planning to delete it from my CCC backup!



I also bought a License for Little snitch, but to be honest.. I am still learning how to use it, the learning curve isn't easy



Thank you very much for your extremely useful information! , About malwares in a Mac, I am the newbies on the block , I have more questions but I am afraid to ask



I am not surprised about their software portfolio, but hiding their address where are they located? Russia, Germany maybe in a private island?

Our official address is placed on corporate website.

 

[Kaibelf]

I also bought a License for Little snitch, but to be honest.. I am still learning how to use it, the learning curve isn't easy



Thank you very much for your extremely useful information! , About malwares in a Mac, I am the newbies on the block , I have more questions but I am afraid to ask

Never be afraid to ask! For the most part the people here on MR are nice and if you ask a legitimate question politely one or more people will try to help. We were all newbies once.

 

[justperry]

This is very true, In fact I am planning to delete it from my CCC backup!



I also bought a License for Little snitch, but to be honest.. I am still learning how to use it, the learning curve isn't easy



Thank you very much for your extremely useful information! , About malwares in a Mac, I am the newbies on the block , I have more questions but I am afraid to ask



I am not surprised about their software portfolio, but hiding their address where are they located? Russia, Germany maybe in a private island?

No problem, ask, I am a nice guy, as many other here.

 

[camelia]

No problem, ask, I am a nice guy, as many other here.

Thanks I will same reply @Kaibelf

We really reached 1Mln users in August 2017. But infected build was available for downloading only several hours from 8 a.m till 3.15 p.m EDT. So all previous downloads and installs are absolutely safe.
[doublepost=1508751190][/doublepost]

As Eltima repesentative I confirm that Airy was not infected. It's safe for downloading and using.
[doublepost=1508751283][/doublepost]
App Store version was not hacked.
[doublepost=1508751534][/doublepost]It's our official address of registration.
[doublepost=1508751601][/doublepost]

It's our official registration address.
[doublepost=1508752154][/doublepost]

Our official address is placed on corporate website.

Then As Eltima repesentative could you please confirm again if Airy and others apps from your website were not infected before and during the attack and only two apps from you website: Folx and Elmedia player were the only infected with the Proton Trojan?

"... infected build was available for downloading only several hours from 8 a.m till 3.15 p.m EDT..."

October 19 or 20 of the present year?

Are the antivirus for Mac detecting this malware?

Thanks

 

[justperry]

Thanks I will same reply @Kaibelf



Then As Eltima repesentative could you please confirm again if Airy and others apps from your website were not infected before and during the attack and only two apps from you website: Folx and Elmedia player were the only infected with the Proton Trojan?

"... infected build was available for downloading only several hours from 8 a.m till 3.15 p.m EDT..."

October 19 or 20 of the present year?

Are the antivirus for Mac detecting this malware?

Thanks

I never installed anti virus on a Mac, it's not really necessary, been using OS X since the beginning about 16+ years ago, never got malware, but I also use common sense and I have a VPN and Little Snitch running nowadays.
It's rare to get malware on your Mac, it exists but it's far-FAR less than on a Windows PC.
And' believe it or not, Mac OS X never had a virus until now, malware yes, viruses no.

 

[camelia]

Hello, everyone!


We are very sorry that such thing happened with our apps.


On the 19-th of October we were contacted by the malware research company ESET, reporting that our servers had been hacked and we distributed malware in DMG files of two our apps: Folx and Elmedia Player.


Hackers used a security breach in the tiny_mce JavaScript library on our server.


Only the version downloaded from our website contained the trojanized application. The built-in automatic update mechanism is unaffected.


The Mac App Store version was not infected and remains safe.


We worked with ESET Team and Apple representatives and made all the necessary actions to stop the distribution of this Malware successfully.


We now officially announce that it is absolutely safe to download Elmedia Player, Folx, and other Eltima Software applications by users.

Eltima said they worked with ESET Team, I am only curios if ESET Cyber Security detects the trojanized application
Let's face it, Mac users are buying Antivirus solutions for their machines even they are not necessary and maybe this is good we don't want more malware for Mac spreads on the net

I never installed anti virus on a Mac, it's not really necessary, been using OS X since the beginning about 16+ years ago, never got malware, but I also use common sense and I have a VPN and Little Snitch running nowadays.
It's rare to get malware on your Mac, it exists but it's far-FAR less than on a Windows PC.
And' believe it or not, Mac OS X never had a virus until now, malware yes, viruses no.

For me a virus is a malware -https://en.wikipedia.org/wiki/Malware
I also don't have any antivirus installed in my Mac, even on a Windows PC I don't use antivirus like you said using common sense its the strongest point

By the way which VPN are you using?

Came

Still waiting for a reply from an Eltima repesentative...

 

[justperry]

Eltima said they worked with ESET Team, I am only curios if ESET Cyber Security detects the trojanized application
Let's face it, Mac users are buying Antivirus solutions for their machines even they are not necessary and maybe this is good we don't want more malware for Mac spreads on the net



For me a virus is a malware -https://en.wikipedia.org/wiki/Malware
I also don't have any antivirus installed in my Mac, even on a Windows PC I don't use antivirus like you said using common sense its the strongest point

By the way which VPN are you using?

Came

Still waiting for a reply from an Eltima repesentative...

Been busy for a few days.

A virus is malware, Malware does not have to be a virus.

1. A virus installs itself without user consent.

2. A virus duplicates itself, to others on the same network or for example to other computers on the internet through email.

There's no known virus up until now for OS X/macOS.

 

[camelia]

Been busy for a few days.

A virus is malware, Malware does not have to be a virus.

1. A virus installs itself without user consent.

2. A virus duplicates itself, to others on the same network or for example to other computers on the internet through email.

There's no known virus up until now for OS X/macOS.

Oh! I didn't know thanks for that info...

Ok it seem that the Eltima repesentative doesn't want to reply then I will have to email them

Thank you
Came

 

[camelia]

Thank you very much.
I didn't know about that software.

Well, now you know
Which flavor do you want? Trojanized or without support from Eltima?

 

[allantodd8]

Thanks I will same reply @Kaibelf



Then As Eltima repesentative could you please confirm again if Airy and others apps from your website were not infected before and during the attack and only two apps from you website: Folx and Elmedia player were the only infected with the Proton Trojan?

"... infected build was available for downloading only several hours from 8 a.m till 3.15 p.m EDT..."

October 19 or 20 of the present year?

Are the antivirus for Mac detecting this malware?

Thanks

- As it was stated before Airy and other apps on our website (except Elmedia and Folx) were not infected.
- Infected build was available for downloading only several hours from 8 a.m till 3.15 p.m EDT on 19th of October 2017
- You can try ESET antivirus

 

[justperry]

- As it was stated before Airy and other apps on our website (except Elmedia and Folx) were not infected.
- Infected build was available for downloading only several hours from 8 a.m till 3.15 p.m EDT on 19th of October 2017
- You can try ESET antivirus

Most people don't want a virus scanner on their Macs, not really needed, and I for one am not going to install a virus scanner to please windows users, it's their problem, not mine(and/or others with Macs).

It's also your responsibility to check on integrity before each download, if all software developers had this check it would be a lot better and safer to download software without malware.

 

[camelia]

Most people don't want a virus scanner on their Macs, not really needed, and I for one am not going to install a virus scanner to please windows users, it's their problem, not mine(and/or others with Macs).

It's also your responsibility to check on integrity before each download, if all software developers had this check it would be a lot better and safer to download software without malware.

I totally agree with you, this issue is very extreme since the infection is deeper, Of course it is Eltima responsibility to check on integrity before each download since we are talking about a persistent malware

What is next for Mac users a combo of VPN + Firewall + Antivirus + Anti malware if this problem continues with any software developer?

If some Mac user are using LS or any VPN is because they are optional not mandatory.

- As it was stated before Airy and other apps on our website (except Elmedia and Folx) were not infected.
- Infected build was available for downloading only several hours from 8 a.m till 3.15 p.m EDT on 19th of October 2017
- You can try ESET antivirus

Thanks to ESET that detected it, if not you will still have those infected builds in your server until now and not only several hours

Malware hidden in vid app is so nasty, victims should wipe their Macs
If you downloaded and installed stuff from Eltima, you are totally in problems

What is Proton Trojan?

Proton is a remote-control Trojan designed specifically for Mac systems. It opens a backdoor granting root-level command-line access to commandeer the computer, and can steal passwords, encryption and VPN keys, and crypto-currencies from infected systems. It can gain access to a victim's iCloud account, even if two-factor authentication is used

"A total system OS reinstall is the only guaranteed way to totally rid your system of this Malware," it warned. "This is a standard procedure for any system compromise with the affection of administrator account."

More info here -https://xww.theregister.co.uk/2017/10/20/mac_os_reinstall_eltima_elmedia_malware/

Change the first x for a w

Did I say it is a persistent malware? well, now you know why if one user is infected is totally lost

Another reason why Mac User don't need antivirus, if you are infected with this malware you have to format everything

Thanks
Came

 

[Xray50]

Can Malwarebytes for Mac Remove it?

Tc

 

[camelia]

Can Malwarebytes for Mac Remove it?

Tc

Do you think you are infected?
Can you please take an screenshots of these files in those location on your disk?

- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/

You may ask at Malwarebytes forums

Came

 

[Xray50]

Do you think you are infected?
Can you please take an screenshots of these files in those location on your disk?

- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/

You may ask at Malwarebytes forums

Came

I had to format my hard drive, but as soon I get new from Malwarebytes, I will post the results here

Do you know if Eltima support replies fast?
Because I will try to reach them also via email just like you did

Tc