jlehikoinen/clean_up_infected_handbrake.sh

## clean_up_infected_handbrake.sh
#!/bin/sh

###

# Clean up infected HandBrake (1.0.7) for macOS

# Note that this script is WIP and does not remove all the traces of the malware
# e.g. reverting /etc/sudoers back to previous state is left out here

# Based on the information posted here:
# - https://forum.handbrake.fr/viewtopic.php?f=33&t=36364
# - https://objective-see.com/blog/blog_0x1D.html

# Requirements:
# - macOS 10.11 or higher
# - root privileges
# - expects that HandBrake binary is in /Applications

###

handbrake_process="HandBrake"
handbrake_path="/Applications/HandBrake.app"
handbrake_binary="/Applications/HandBrake.app/Contents/MacOS/HandBrake"
activity_agent_process="activity_agent"
activity_agent_path="Library/RenderFiles/activity_agent.app"
video_frameworks_path="Library/VideoFrameworks"
launch_agent_path="Library/LaunchAgents/fr.handbrake.activity_agent.plist"
tmp_path="/private/tmp/HandBrake.app"
cert_path="/private/tmp/public.pem"
bad_shasum="a8ea82ee767091098b0e275a80d25d3bc79e0cea"

###

dscl_cmd="/usr/bin/dscl"
grep_cmd="/usr/bin/grep"
rm_cmd="/bin/rm"
awk_cmd="/usr/bin/awk"
launchctl_cmd="/bin/launchctl"
pgrep_cmd="/usr/bin/pgrep"
pkill_cmd="/usr/bin/pkill"
shasum_cmd="/usr/bin/shasum"

###

# Kill malicious activity_agent process
# $pgrep_cmd $activity_agent_process
$pkill_cmd $activity_agent_process

# Check binary shasum
if [[ -d ${handbrake_path} ]]; then
    app_shasum=$($shasum_cmd ${handbrake_binary} | $awk_cmd '{print $1}')

    # Delete app if shasum matches
    if [[ $app_shasum == $bad_shasum ]]; then
        echo "Installed HandBrake is malicious, shasum: $app_shasum"
        echo "Killing $handbrake_process process"
        $pkill_cmd $handbrake_process
        echo "Deleting ${handbrake_path}"
        $rm_cmd -rf ${handbrake_path}
    else
        echo "Installed HandBrake is ok, shasum: $app_shasum"
    fi
fi

# Get user accounts
userlist=$($dscl_cmd . list /Users | $grep_cmd -v '_')

set +f		# Just to make sure globbing works

# Clean up user home folders from crud
for shortname in ${userlist}; do
    if [[ "$shortname" != "root" ]] && [[ "$shortname" != "nobody" ]] && [[ "$shortname" != "daemon" ]]; then
        # echo $shortname

        user_id=$($dscl_cmd . -read /Users/$shortname UniqueID | $awk_cmd '{print $2}')
        home_folder=$($dscl_cmd . -read /Users/$shortname NFSHomeDirectory | $awk_cmd '{print $2}')

        # Skip if user home folder value is '/var/empty' or missing
        if [[ ${home_folder} == "/var/empty" ]]; then continue; fi
        if [[ ${home_folder} == "" ]]; then echo "Could not get NFSHomeDirectory value for ${shortname}"; continue; fi

        # echo ${user_id}
        # echo ${home_folder}

        # Delete malicious app in Library/RenderFiles folder
        if [[ -d "${home_folder}/${activity_agent_path}" ]]; then
            echo "Deleting ${home_folder}/${activity_agent_path}"
            $rm_cmd -rf "${home_folder}/${activity_agent_path}"
        fi

        # Unload Launch Agent and delete it
        if [[ -f "${home_folder}/${launch_agent_path}" ]]; then
            echo "Unloading ${home_folder}/${launch_agent_path}"
            $launchctl_cmd asuser $user_id $launchctl_cmd unload "${home_folder}/${launch_agent_path}"
            echo "Deleting ${home_folder}/${launch_agent_path}"
            $rm_cmd -f "${home_folder}/${launch_agent_path}"
        fi

        # Delete zip files in Library/VideoFrameworks folder
        if [[ -d "${home_folder}/${video_frameworks_path}" ]]; then
            echo "Deleting zip files in ${home_folder}/${video_frameworks_path}"
            $rm_cmd -f ${home_folder}/${video_frameworks_path}/*.zip
        fi
    fi
done

# Delete files in /tmp
if [[ -d "${tmp_path}" ]]; then
    echo "Deleting ${tmp_path}"
    $rm_cmd -rf ${tmp_path}
fi

if [[ -f "${cert_path}" ]]; then
    echo "Deleting ${cert_path}"
    $rm_cmd -f ${cert_path}
fi

exit $?
	#!/bin/sh

	###

	# Clean up infected HandBrake (1.0.7) for macOS

	# Note that this script is WIP and does not remove all the traces of the malware
	# e.g. reverting /etc/sudoers back to previous state is left out here

	# Based on the information posted here:
	# - https://forum.handbrake.fr/viewtopic.php?f=33&t=36364
	# - https://objective-see.com/blog/blog_0x1D.html

	# Requirements:
	# - macOS 10.11 or higher
	# - root privileges
	# - expects that HandBrake binary is in /Applications

	###

	handbrake_process="HandBrake"
	handbrake_path="/Applications/HandBrake.app"
	handbrake_binary="/Applications/HandBrake.app/Contents/MacOS/HandBrake"
	activity_agent_process="activity_agent"
	activity_agent_path="Library/RenderFiles/activity_agent.app"
	video_frameworks_path="Library/VideoFrameworks"
	launch_agent_path="Library/LaunchAgents/fr.handbrake.activity_agent.plist"
	tmp_path="/private/tmp/HandBrake.app"
	cert_path="/private/tmp/public.pem"
	bad_shasum="a8ea82ee767091098b0e275a80d25d3bc79e0cea"

	###

	dscl_cmd="/usr/bin/dscl"
	grep_cmd="/usr/bin/grep"
	rm_cmd="/bin/rm"
	awk_cmd="/usr/bin/awk"
	launchctl_cmd="/bin/launchctl"
	pgrep_cmd="/usr/bin/pgrep"
	pkill_cmd="/usr/bin/pkill"
	shasum_cmd="/usr/bin/shasum"

	###

	# Kill malicious activity_agent process
	# $pgrep_cmd $activity_agent_process
	$pkill_cmd $activity_agent_process

	# Check binary shasum
	if [[ -d ${handbrake_path} ]]; then
	app_shasum=$($shasum_cmd ${handbrake_binary} \| $awk_cmd '{print $1}')

	# Delete app if shasum matches
	if [[ $app_shasum == $bad_shasum ]]; then
	echo "Installed HandBrake is malicious, shasum: $app_shasum"
	echo "Killing $handbrake_process process"
	$pkill_cmd $handbrake_process
	echo "Deleting ${handbrake_path}"
	$rm_cmd -rf ${handbrake_path}
	else
	echo "Installed HandBrake is ok, shasum: $app_shasum"
	fi
	fi

	# Get user accounts
	userlist=$($dscl_cmd . list /Users \| $grep_cmd -v '_')

	set +f # Just to make sure globbing works

	# Clean up user home folders from crud
	for shortname in ${userlist}; do
	if [[ "$shortname" != "root" ]] && [[ "$shortname" != "nobody" ]] && [[ "$shortname" != "daemon" ]]; then
	# echo $shortname

	user_id=$($dscl_cmd . -read /Users/$shortname UniqueID \| $awk_cmd '{print $2}')
	home_folder=$($dscl_cmd . -read /Users/$shortname NFSHomeDirectory \| $awk_cmd '{print $2}')

	# Skip if user home folder value is '/var/empty' or missing
	if [[ ${home_folder} == "/var/empty" ]]; then continue; fi
	if [[ ${home_folder} == "" ]]; then echo "Could not get NFSHomeDirectory value for ${shortname}"; continue; fi

	# echo ${user_id}
	# echo ${home_folder}

	# Delete malicious app in Library/RenderFiles folder
	if [[ -d "${home_folder}/${activity_agent_path}" ]]; then
	echo "Deleting ${home_folder}/${activity_agent_path}"
	$rm_cmd -rf "${home_folder}/${activity_agent_path}"
	fi

	# Unload Launch Agent and delete it
	if [[ -f "${home_folder}/${launch_agent_path}" ]]; then
	echo "Unloading ${home_folder}/${launch_agent_path}"
	$launchctl_cmd asuser $user_id $launchctl_cmd unload "${home_folder}/${launch_agent_path}"
	echo "Deleting ${home_folder}/${launch_agent_path}"
	$rm_cmd -f "${home_folder}/${launch_agent_path}"
	fi

	# Delete zip files in Library/VideoFrameworks folder
	if [[ -d "${home_folder}/${video_frameworks_path}" ]]; then
	echo "Deleting zip files in ${home_folder}/${video_frameworks_path}"
	$rm_cmd -f ${home_folder}/${video_frameworks_path}/*.zip
	fi
	fi
	done

	# Delete files in /tmp
	if [[ -d "${tmp_path}" ]]; then
	echo "Deleting ${tmp_path}"
	$rm_cmd -rf ${tmp_path}
	fi

	if [[ -f "${cert_path}" ]]; then
	echo "Deleting ${cert_path}"
	$rm_cmd -f ${cert_path}
	fi

	exit $?