ESET security researchers found that the website of Eltima, the makers of the Elmedia Player software, has been hacked and spreading a version of their application trojanized with the OSX/Proton malware on their official website. The malware research company (ESET) informed Eltima as soon as the situation was confirmed.
Elmedia Player is a very popular media player that reached the 1 million users milestone this summer.
According to Eltima:
“On the 19th of October 2017 we were informed by a malware research company ESET that our servers have been hacked and our apps namely Folx and Elmedia Player DMG files are distributed with a malware.”
An attacker can use Proton which is a very powerful malware to collect different data from infected hosts, such as operating system details, browser passwords, cookies, history, data on cryptocurrency wallets, SSH private keys, macOS keychain data, VPN configs, GnuPG data, 1Password data, and much more.
ESET security researchers advise users who downloaded Elmedia Player or Folx software lately to check if their system is compromised by testing the existence of any of the following file or directory:
– /tmp/Updater.app/
– /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
– /Library/.rand/
– /Library/.rand/updateragent.app/
If any of them exists, that means the trojanized Elmedia Player or Folx app was executed and that OSX/Proton is most likely running.
“If you have downloaded that software on October 19th before 3:15pm EDT and run it, you are likely compromised.”