OSX_Proton_Process

Name: OSX_Proton_Process
OSX/Proton bundled with a tampered version of Handbrake and Elmedia Player: (https://objective-see.com/blog/blog_0x1D.html and https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/): Artifacts created by this malware

Query:
select * from processes \
        where path like '/Users/%/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent' OR \
        path='/Library/.rand/updateragent.app/Contents/MacOS/updateragent' OR \
        path='/Library/.random/xpcd.app/Contents/MacOS/xpcd';
Additional Query Info:
Version: 1.4.5
Platform: darwin
Interval: 3600

JSON:
{
  "queries": {
    "OSX_Proton_Process": {
      "query" : "select * from processes \
        where path like '/Users/%/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent' OR \
        path='/Library/.rand/updateragent.app/Contents/MacOS/updateragent' OR \
        path='/Library/.random/xpcd.app/Contents/MacOS/xpcd';",
      "interval" : "3600",
      "platform" : "darwin",
      "version": "1.4.5",
      "description" : "OSX/Proton bundled with a tampered version of Handbrake and Elmedia Player: (https://objective-see.com/blog/blog_0x1D.html and https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/)",
      "value" : "Artifacts created by this malware"
    }
  }
}

You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com