OSX/Proton bundled with a tampered version of Handbrake and Elmedia Player: (https://objective-see.com/blog/blog_0x1D.html and https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/): Artifacts created by this malware
Query:
select * from processes \ where path like '/Users/%/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent' OR \ path='/Library/.rand/updateragent.app/Contents/MacOS/updateragent' OR \ path='/Library/.random/xpcd.app/Contents/MacOS/xpcd';Additional Query Info:
Version: 1.4.5
Platform: darwin
Interval: 3600
JSON:
{ "queries": { "OSX_Proton_Process": { "query" : "select * from processes \ where path like '/Users/%/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent' OR \ path='/Library/.rand/updateragent.app/Contents/MacOS/updateragent' OR \ path='/Library/.random/xpcd.app/Contents/MacOS/xpcd';", "interval" : "3600", "platform" : "darwin", "version": "1.4.5", "description" : "OSX/Proton bundled with a tampered version of Handbrake and Elmedia Player: (https://objective-see.com/blog/blog_0x1D.html and https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/)", "value" : "Artifacts created by this malware" } } }