HandBrake malware attack led to theft of Panic apps’ source code

Oregon-based software company Panic Inc. has announced that some of the source code for their offerings has been stolen, and they are being blackmailed by the attackers.

Panic develops a string of popular apps for Macs and iOS, including FTP client Transmit and web editor Coda.

Panic apps source code

How were they compromised?

As discovered the weekend before last, a malicious version of macOS video transcoding app HandBrake was offered for download for three days on an official but compromised download mirror.

Panic Inc. developer and co-founder Steven Frank had the bad luck of downloading a Trojanized version of the app, and not noticing something was amiss when it asked for admin privileges. This resulted in his machine being infected with the Proton RAT.

The Proton RAT allows attackers to monitor keystrokes, upload files to and download files from a remote machine under their control, perform webcam surveillance, and connect remotely to the infected machine.

“By the time news broke of the HandBrake infection, git credentials had already been stolen from my Mac and used to clone several of our source code repositories, according to our logs,” Frank explained.

“As soon as I discovered the infection on my Mac, I disabled it, took the Mac out of commission, and we began the incredibly lengthy process of changing all of my passwords, rotating the relevant secret keys throughout our infrastructure, and so on, to re-lock our doors and hopefully prevent anything else from being stolen.”

The investigation and a comb-through of the logs revealed that the attackers managed to clone some of the company’s source code, but Frank says that there is no indication that they obtained any customer information, Panic Sync data, or that their web server had been compromised.

What now?

The attackers got in touch via email, confirmed the theft of the source code, and demanded a large bitcoin ransom to prevent its public release.

But Panic developers decided that even if they pay, there is no guarantee that the attackers will go away without demanding more and more money. So, after debating how the release of the source code would affect their bottom line, they ultimately decided to risk it and revealed the breach themselves.

Their rationale for the decision was as follows: there are already cracked version of their apps out there, and they don’t believe other Mac developers would ever risk using the leaked code in their own apps.

Panic is worried, though, that the code will be used to create malware-infected builds of their apps, and that those will be used to compromise other users.

They have notified the FBI about this breach, and asked Apple for help.

“Apple rallied the right security people quickly to learn all they could about our situation. They walked us through the best way to roll our Developer ID and invalidate the old one, which we don’t think was leaked, but we’re being overly cautious. And more importantly, the right people at Apple are now standing by to quickly shut down any stolen/malware-infested versions of our apps that we may discover,” Frank explained.

Still, he asked users to help them by notifying them it they find cracked or otherwise unofficial versions of their apps in the wild, or the stolen source code.

Finally, he advised everyone to download Panic-made apps only from the Mac App Store or the Panic website. “We are going to be hyper-vigilant about the authenticity of downloads on our servers,” he promised.