OSX.Proton, the notorious info-stealing malware, has made a reappearance via a campaign involving booby-trapped editions of the popular Elmedia Player app.
The unscrupulous devs of the ill-famed OSX.Proton malware have recently proven that they’ve got a novel proliferation mechanism up their sleeve. The current generation of this contagion, referred to as OSX.Proton.C, is making the rounds in quite an unusual fashion. Specifically, it arrives at Mac computers with a trojanized copy of Elmedia Player, a free multimedia solution by Eltima Software. The situation gets yet more disconcerting due to the fact that users were downloading the weaponized app from Eltima’s official website for an unknown period of time. The trick is, when a would-be victim opens the hijacked software it looks just like the benign edition. However, malicious processes running in the background cause a great deal of security and privacy issues.
There is a red flag, though, signaling that the user is dealing with a rogue build of Elmedia Player. It is a popup request asking for the victim’s admin password when the software is first triggered, which is something the genuine app doesn’t display. If these privileges are granted, things start to quickly get out of hand, and the worst part is that the user won’t even know it. A new entry named com.Eltima.UpdaterAgent.plist will appear under /Library/LaunchAgents. This process gets triggered every time the contaminated Mac boots up so that the malicious effect persists.
The main vector of OSX.Proton’s activity is reconnaissance. It harvests various information about the computer and the user. These include operating system details, such as full name of the current user, time zone, hardware serial number, and hostname. The infection also collects personally identifiable information relating to web browsers, including Safari, Chrome, Firefox and Opera. In particular, it zeroes in on website login credentials, cookies, browsing history and the like. To add insult to injury, the OSX.Proton malware compromises keychain and 1Password data in an attempt to get hold of the victim’s stored passwords. Yet another unsettling effect is the theft of information associated with cryptocurrency wallets, including Bitcoin Core, Electrum, and Armory.
The impact of OSX.Proton can, obviously, get really bad. The threat actors obtain a sufficient volume of data to steal cryptocurrency and breach banking accounts, and that’s only part of the effect. Having discovered this virus on a Mac, the user should change passwords for all online accounts immediately. But before, OSX.Proton needs to be removed.
OSX.Proton malware manual removal for Mac
The steps listed below will walk you through the removal of this application. Be sure to follow the instructions in the order specified.
• Open up the Utilities folder as shown below
• Locate the Activity Monitor icon on the screen and double-click on it
• Under Activity Monitor, find the entry for UpdaterAgent, select it and click Quit Process
• A dialog should pop up, asking if you are sure you would like to quit the troublemaking process. Select the Force Quit option
• Click the Go button again, but this time select Applications on the list. Find the entry for UpdaterAgent on the interface, right-click on it and select Move to Trash. If user password is required, go ahead and enter it
• Now go to Apple Menu and pick the System Preferences option
• Select Accounts and click the Login Items button. The system will come up with the list of the items that launch when the box is started up. Locate UpdaterAgent there and click on the “-“ button
Use automatic tool to uninstall OSX.Proton malware from your Mac
1. Download and install MacBooster application (read review). The tool provides both optimization and security features for your Mac. As part of obliterating the OSX.Proton infection proper, consider also checking your machine for other security risks and performance issues by hitting the Scan button.
2. Proceed to the Uninstaller feature, find UpdaterAgent on the Applications list and have MacBooster completely eliminate all components of the app from your Mac by clicking Uninstall in the bottom part of the GUI. Doing so will ensure all components of the malware and its remainders, which may have not been removed in the manual way, will be thoroughly cleaned up.