Elmedia Player and Folx malware threat Neutralized!

Alex Taylor in Free Software,Help/Support,Mac Software,System Utilities,The Company/Releases
20 Oct 2017, 14:12

elm-hckd
On the 19th of October 2017 we were informed by a malware research company ESET that our servers have been hacked and our apps namely Folx and Elmedia Player DMG files are distributed with a malware.

Our cybersecurity team in close coordination with ESET Team and Apple representatives took all the necessary steps and actions to stop the distribution of this Malware successfully.

We now officially announce that it is absolutely safe to download Elmedia Player, Folx, and other Eltima Software applications by users.

SYSTEM CHECK!!!
If you recently downloaded Elmedia Player or Folx, ESET advises you do a system check to confirm if your system was compromised or not.

Instructions- Scan for the absence of the following file or directory on your system:

/tmp/Updater.app/
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
/Library/.rand/
/Library/.rand/updateragent.app/

The presence of any of the files above is an indication that your system may have been infected by the trojanized Elmedia Player or Folx application which means your OSX/Proton is most likely running. If you downloaded Elmedia Player or Folx on the 19th of October 2017, your system is likely affected.

NOTE: Only Elmedia Player and Folx version downloaded from our official Eltima website was infected by this malware. However, the built-in automatic update mechanism is unaffected based on the data available to our cybersecurity experts.

Steps to rid your system of this Malware

  • A total system OS reinstall is the only guaranteed way to totally rid your system of this Malware. This is a standard procedure for any system compromise with the affection of administrator account.

Please, be advised that some other system information may have been affected and take appropriate measures to invalidate them.


  • jerome71

    You should definitely:
    – be more explicit about what a “total system OS resinstall”. I undersand it as re-installung OS X / macOS, which is about a 45 minutes procedure on my MacBook Pro and during which you do not loose any data. Some incompetents, such as clickbait theregister, understand that as “users should wipe their Macs” which is very different,
    – explain how the average user can check the presence of the 4 files and folders which reveal the presence of the malware, especially since a “.rand” folder would be invisible in the Finder.

    Your article is at the moment creating more confusion than anything.

  • Toxa

    Hey, do you know when these packages were compromised?

  • Eltima Team

    On 19th of October before 3:15pm EDT our servers were hacked by Proton Rat.

  • Eltima Team

    Read this guide on how to check your Mac: welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/

  • Khalid Abdullah

    https://uploads.disquscdn.com/images/68092285f2942de26b29dc9af60a511a3ec7f918f03c3152a621157e48d9ca20.png https://uploads.disquscdn.com/images/7b6f72b72431b05554a0dcaad6009afd5b16e29ecec5b0f711b169ababbd73f4.png

    I found these files and i didn’t download any of your app i just have the exstaniton on safari for flox does this mean i’m infected?.

    and about this /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
    is says there is no files found.

  • Séby

    Never trust you again

  • B C

    Eltima… Unless it’s been filtered in my inbox, you really should inform your customers about this situation. I’m a paying customer and should not have to find out about this breach from a third party blog. Further to the post below, you should really provide a proper set of instructions to those who are not expert users – redirecting someone to the same page you cut and paste from is insufficient. Apologies if I’m telling you how to run your business, but so far the optics of your actions are terrible…

  • Eltima Team

    No, you are not infected.

  • Eltima Team

    We understand your concerns, however, no company is shielded for 100% from a cyber attack nowadays. We have exerted all possible efforts to eliminate the breach in the shortest terms and make sure that it won’t happen again in future.

  • Séby

    At least you can make a simple script embedded in an app to help peoples to get rid off the malware that you give to them (or embed that in the new version of your player)? How many costumers do you think are able to make a clean system wipe? Or even go to the Library folder? Just help people to erase yours mistakes, and not just write some “now it’s OK, reinstall macOS” on your blog that nobody is actually reading.

  • Eltima Team

    The reason we have not informed users is that we do not have a mechanism that would allow us to track those people who downloaded either Folx or Elmedia Player from our web-site when the apps were infected (on the 19th of October from 8 a.m till 3:15 p.m EDT).

    Instructions given in our blog are provided by ESET and are the most optimal way to cure the infected machine.

  • Eltima Team

    We are terribly sorry but as it was stated in ESET article the only to clean infected Mac is to reinstall the system. Other alternative ways won’t work.

  • Séby

    That’s why when my friends come to me to clean their mac, I just put them IINA player or VLC if they want. Your software isn’t worth the trouble.

  • B C

    Don’t think you understand the point. You have customers who may have been compromised because your server got hacked. Least you could do would be to send out an email to any registered users; “Hey, we’re sorry but we got hacked. This is how to check for the malware, probably weren’t affected, but we care about you guys and wanted to give you a heads up just in case that you were the unlucky 0.0001%”. Understand you don’t want to worry people unnecessarily, but considering the potential harm in this form of data loss you want to get the word out. Further, you’d probably want to help with a script (to at least detect it) or more detailed instructions (“hit CMD-CTRL-G in finder, type in ~/Library/”, etc). Everyone gets hacked, Equifax, Home Depot, etc. We get it, but should find ways to help your customers better.

  • redarx

    Exactly, it’s not like you don’t have ours on record. Every little bit of communication goes a long way to build trust and rapport. Especially since this is a really serious issue for customers who really are infected.

  • Eltima Team

    One of our company’s fundamentals is a relationship building based on trust with every user. Thank you for pointing our attention to these issues.