In Capsule:

Hackers are using legitimate apps for spreading OSX/Proton malware Elmedia Player and Folx applications are used for distributing proton malware in Mac devices Eset alerted Eltima, and the malware was removed immediately A full reinstall of OS is the only method to remove malware if the device is infected.

Hackers are using legitimate apps like Elmedia Player and Folx for distributing OSX/Proton malware in mac devices.

Security researchers at ESET discovered that OSX/Proton malware was spreading through a new supply chain attack by injecting malicious code into legitimate applications.

“ESET researchers noticed that Eltima, the makers of the Elmedia Player software, have been distributing a version of their application trojanized with the OSX/Proton malware on their official website”

The Proton malware is a Remote access tool (RAT) which has the ability to execute console commands, keylogging, access webcams, capture screenshot, file uploading, downloading and open SSH/VHC remote connections.

Researchers alerted Eltima about the issue and company responded immediately by removing malware from the application.

“On the 19th of October 2017 we were informed by a malware research company ESET that our servers have been hacked and our apps namely Folx and Elmedia Player DMG files are distributed with a malware.Our cybersecurity team in close coordination with ESET Team and Apple representatives took all the necessary steps and actions to stop the distribution of this Malware successfully” said in a blog post published by Eltima

The company said that hackers compromised company’s server and attached the proton malware to the download files.

The versions Elmedia Player and Folx which are downloaded from Eltima’s official website are only infected with malware, and built-in automatic update application are unaffected as of now said the company.

You can verify whether your system is affected or not by checking the presence following files or directory.

/tmp/Updater.app/

/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist

/Library/.rand/

/Library/.rand/updateragent.app/

If any of the above files are present in your system that means trojanized Elmedia Player or Folx application was executed and OSX/Proton is most likely running on your device.

Both ESET and Eltima suggest that the only way to remove the malware is a full OS reinstall which is the standard procedure of any system compromised with the affection of administrator account.

Eltima said that users can now safely download Elmedia Player, Folx, and other Eltima Software applications from their website.

About the Author