Clean up infected HandBrake (1.0.7) for macOS

clean_up_infected_handbrake.sh

#!/bin/sh

###

# Clean up infected HandBrake (1.0.7) for macOS

# Note that this script is WIP and does not remove all the traces of the malware
# e.g. reverting /etc/sudoers back to previous state is left out here

# Based on the information posted here: 
# - https://forum.handbrake.fr/viewtopic.php?f=33&t=36364
# - https://objective-see.com/blog/blog_0x1D.html

# Requirements:
# - macOS 10.11 or higher
# - root privileges
# - expects that HandBrake binary is in /Applications

###

handbrake_process="HandBrake"
handbrake_path="/Applications/HandBrake.app"
handbrake_binary="/Applications/HandBrake.app/Contents/MacOS/HandBrake"
activity_agent_process="activity_agent"
activity_agent_path="Library/RenderFiles/activity_agent.app"
video_frameworks_path="Library/VideoFrameworks"
launch_agent_path="Library/LaunchAgents/fr.handbrake.activity_agent.plist"
tmp_path="/private/tmp/HandBrake.app"
cert_path="/private/tmp/public.pem"
bad_shasum="a8ea82ee767091098b0e275a80d25d3bc79e0cea"

###

dscl_cmd="/usr/bin/dscl"
grep_cmd="/usr/bin/grep"
rm_cmd="/bin/rm"
awk_cmd="/usr/bin/awk"
launchctl_cmd="/bin/launchctl"
pgrep_cmd="/usr/bin/pgrep"
pkill_cmd="/usr/bin/pkill"
shasum_cmd="/usr/bin/shasum"

###

# Kill malicious activity_agent process
# $pgrep_cmd $activity_agent_process
$pkill_cmd $activity_agent_process

# Check binary shasum
if [[ -d ${handbrake_path} ]]; then
    app_shasum=$($shasum_cmd ${handbrake_binary} | $awk_cmd '{print $1}')

    # Delete app if shasum matches
    if [[ $app_shasum == $bad_shasum ]]; then
        echo "Installed HandBrake is malicious, shasum: $app_shasum"
        echo "Killing $handbrake_process process"
        $pkill_cmd $handbrake_process
        echo "Deleting ${handbrake_path}"
        $rm_cmd -rf ${handbrake_path}
    else
        echo "Installed HandBrake is ok, shasum: $app_shasum"
    fi
fi

# Get user accounts
userlist=$($dscl_cmd . list /Users | $grep_cmd -v '_')

set +f		# Just to make sure globbing works

# Clean up user home folders from crud
for shortname in ${userlist}; do
    if [[ "$shortname" != "root" ]] && [[ "$shortname" != "nobody" ]] && [[ "$shortname" != "daemon" ]]; then
        # echo $shortname

        user_id=$($dscl_cmd . -read /Users/$shortname UniqueID | $awk_cmd '{print $2}')
        home_folder=$($dscl_cmd . -read /Users/$shortname NFSHomeDirectory | $awk_cmd '{print $2}')

        # Skip if user home folder value is '/var/empty' or missing
        if [[ ${home_folder} == "/var/empty" ]]; then continue; fi
        if [[ ${home_folder} == "" ]]; then echo "Could not get NFSHomeDirectory value for ${shortname}"; continue; fi

        # echo ${user_id}
        # echo ${home_folder}

        # Delete malicious app in Library/RenderFiles folder
        if [[ -d "${home_folder}/${activity_agent_path}" ]]; then
            echo "Deleting ${home_folder}/${activity_agent_path}"
            $rm_cmd -rf "${home_folder}/${activity_agent_path}"
        fi

        # Unload Launch Agent and delete it
        if [[ -f "${home_folder}/${launch_agent_path}" ]]; then
            echo "Unloading ${home_folder}/${launch_agent_path}"
            $launchctl_cmd asuser $user_id $launchctl_cmd unload "${home_folder}/${launch_agent_path}"
            echo "Deleting ${home_folder}/${launch_agent_path}"
            $rm_cmd -f "${home_folder}/${launch_agent_path}"
        fi

        # Delete zip files in Library/VideoFrameworks folder
        if [[ -d "${home_folder}/${video_frameworks_path}" ]]; then
            echo "Deleting zip files in ${home_folder}/${video_frameworks_path}"
            $rm_cmd -f ${home_folder}/${video_frameworks_path}/*.zip
        fi
    fi
done

# Delete files in /tmp
if [[ -d "${tmp_path}" ]]; then
    echo "Deleting ${tmp_path}"
    $rm_cmd -rf ${tmp_path}
fi

if [[ -f "${cert_path}" ]]; then
    echo "Deleting ${cert_path}"
    $rm_cmd -f ${cert_path}
fi

exit $?