SecureMac, Inc.

Malware from Compromised Handbrake Servers Leads to Stolen Source Code

July 3, 2017

Back at the end of May, we reported on a story about a malware threat to Mac users delivered via the popular DVD ripping software Handbrake. In that incident, hackers broke in to one of the download servers Handbrake used to serve installers to users. They replaced the genuine Mac installer with one that would drop a backdoor onto your machine, allowing the authors free reign to crawl through your data. The infected server was serving up this malware for four days, and now we know that it actually …

Malware from Compromised Handbrake Servers Leads to Stolen Source Code

Back at the end of May, we reported on a story about a malware threat to Mac users delivered via the popular DVD ripping software Handbrake. In that incident, hackers broke in to one of the download servers Handbrake used to serve installers to users. They replaced the genuine Mac installer with one that would drop a backdoor onto your machine, allowing the authors free reign to crawl through your data. The infected server was serving up this malware for four days, and now we know that it actually did lead to some infections. More than that, it enabled the hackers to steal the hard work of an app developer.

Panic, Inc., based out of Portland, OR, suffered a breach after its lead developer installed the infected Handbrake. By the time the developer realized that there was a problem, it was too late. The hackers had discovered login credentials on the machine and used them to pilfer the source code for an in-development application. The hackers then proceeded to contact the developer to inform them of their theft. Why? Money, of course: they proceeded to demand a ransom in exchange for a flimsy promise not to release the files to the public.

The good news for the developers is that the stolen code was old and undergoing a heavy update process. They refused to pay the ransom and began working with Apple to ensure that the stolen code could not be used for nefarious purposes. That included disabling the developer’s old Developer ID and issuing them a brand new one. If a malware author were to be in possession of a valid dev ID, it could potentially open the door to further threats.

This incident goes to show that even very savvy users can sometimes fall prey to malware unknowingly. It is not always easy or even possible to identify every threat we face on the web. That is exactly why installing and using malware protection, and running scans on a regular basis, is so important. It’s possible that if the developer in question had been conducting a regular sweep of his machine, he may have closed the backdoor on his machine before the hackers could enter. While we’ll never know for certain, it’s an object lesson in the crucial need for good security, whether you’re an average user or a pro developer.

Get the latest security news and deals