Help identifying MacOS Malware

[Daksani]

I am having what I believe to be a malware issue that is persisting between Configurator restores. I've tried to explain to the Apple Store and to support on the phone but I'm not getting anywhere. I come from a Linux background but I am new to MacOS and I fear I know just enough to see that there is a problem without being able to properly articulate what the issue is. I was recently hacked in a pretty bad way that took down my personal network of about 10 nodes and I'm trying to recover from it but I can't seem to get the MacBooks cleaned no matter what I do.

I think? what is happening is that the SSV is somehow compromised and persisting through Configurator restores. I keep finding language input files in /var/root/Library/Daemon Container. Normally this wouldn't be all that odd but they're the only input language files that are in there. I also see them running here:

loginwind 1152 daksani txt REG 1,13 20236 1152921500312187653 /System/Library/Input Methods/JapaneseIM-KanaTyping.app/Contents/PlugIns/JapaneseIM-KanaTyping.appex/Contents/Resources/InfoPlist.loctable

loginwind 1152 daksani txt REG 1,13 17587 1152921500312188111 /System/Library/Input Methods/KoreanIM.app/Contents/PlugIns/KIM_Extension.appex/Contents/Resources/InfoPlist.loctable

loginwind 1152 daksani txt REG 1,13 9170 1152921500312189417 /System/Library/Input Methods/VietnameseIM.app/Contents/PlugIns/VIM_Extension.appex/Contents/Resources/InfoPlist.loctable


These appear to be VIM and KIM extensions and yet I'm very particular about not using VIM as I use nano.

The system also appears to be using a very large amount of RAM when IDLE. While I have downloaded some applications, 25Gb of ram usage seems excessive for 2 tabs on safari and 2 windows of iterm2. I ran etrecheck pro and found the following:

Top Processes Snapshot by Memory:
Process (count) RAM usage (Source - Location)
com.apple.WebKit.WebContent (7) 2.34 GB (Apple)
EtreCheckPro 1.42 GB (Etresoft, Inc.)
iTerm2 957 MB (GEORGE NACHMAN)
MTLCompilerService (31) 689 MB (Apple)
mediaanalysisd 663 MB (Apple)


MTLCompilerService seems out of place unless it's linked to Apple Intelligence? This is fresh from Configurator run from a couple of hours ago today and I haven't downloaded any development tools like WebKit or MTL, etc. I'm not really even sure what most of these are outside of iterm2 and etrecheck. I also found something called 'Sharing 5' unsigned that I'm also not sure of:

Top Processes Snapshot by Energy Use:
Process (count) Energy (0-100) (Source - Location)
WindowServer 13 (Apple)
Sharing 5 (Not signed)
RTProtectionDaemon 4 (Malwarebytes Corporation)
iconservicesagent (2) 2 (Apple)
iTerm2 2 (GEORGE NACHMAN)


Here's the full Etre Report.

https://************/ehquq

If anyone can help with removal or at least how to approach this with Apple, I'd be greatly appreciative.

 

[Nermal]

These appear to be VIM and KIM extensions and yet I'm very particular about not using VIM as I use nano.

"VIM" in this context is "Vietnamese Input Method" and has nothing to do with the vim editor. Those files are completely normal.

MTLCompilerService seems out of place unless it's linked to Apple Intelligence? This is fresh from Configurator run from a couple of hours ago today and I haven't downloaded any development tools like WebKit or MTL, etc.

MTLCompilerService is part of the graphics subsystem, and again is normal.

Here's the full Etre Report.

You've linked to a prohibited site, but I've put the report below:

EtreCheckPro version: 6.8.7 (68068)
Report generated: 2025-01-18 20:01:47
Download EtreCheckPro from https://etrecheck.com
Runtime: 1:37
Performance: Excellent
Problem: Beachballing
Description: 
Random Languages like Vietnamese, Korean, and Chinese keep appearing. 
Believe the SSV might have been compromised and I can’t get rid of it.
Feel free to contact me with any advice as I know something is wrong but I can't get through to apple to explain to them that there is a problem. 
Email: (removed)
 
Major Issues: None
Minor Issues:
  These issues do not need immediate attention but they may indicate future problems or opportunities for improvement. 
  No Time Machine backup - Time Machine backup not found.
  Heavy RAM usage - Apps are using a large amount of RAM.
  Apps crashing - There have been numerous app crashes.
  Limited permissions - More information may be available with Full Disk Access.
Hardware Information:
  MacBook Pro (14-inch, 2024)
    Status: Supported
  MacBook Pro Model: Mac16,8
  Apple M4 Pro CPU: 14-core
  48 GB RAM - Not upgradeable
  Battery: Health = Normal - Cycle count = 20
Video Information:
  Apple M4 Pro
    Color LCD 3024 x 1964
Drives:
  disk0 - APPLE SSD AP1024Z 1.00 TB (Solid State - TRIM: Yes) 
  Internal Apple Fabric NVM Express
    disk0s1 [APFS Container] 524 MB
      disk1 [APFS Virtual drive] 524 MB (Shared by 4 volumes)
        disk1s1 - iSCPreboot (APFS) [APFS Preboot] (6 MB used)
        disk1s2 - xART (APFS) (6 MB used)
        disk1s3 - Hardware (APFS) (3 MB used)
        disk1s4 - Recovery (APFS) [Recovery] (20 KB used)
    disk0s2 [APFS Container] 994.66 GB
      disk3 [APFS Virtual drive] 994.66 GB (Shared by 6 volumes)
        disk3s1 (APFS) [Core Storage Container] (11.20 GB used)
          disk3s1s1 - Macintosh HD (APFS) (11.20 GB used)
        disk3s2 - Preboot (APFS) [APFS Preboot] (5.95 GB used)
        disk3s3 - Recovery (APFS) [Recovery] (1.04 GB used)
        disk3s4 - Update (APFS) (90 KB used)
        disk3s5 - Data (APFS) [APFS Virtual drive] (35.06 GB used)
        disk3s6 - VM (APFS) [APFS VM] (20 KB used)
    disk0s3 [APFS Container] 5.37 GB
      disk2 [APFS Virtual drive] 5.37 GB (Shared by 2 volumes)
        disk2s1 - Recovery (APFS) [Recovery] (1.04 GB used)
        disk2s2 - Update (APFS) (25 KB used)
  disk5 - Apple Disk Image 274 MB (Disk Image) 
  External Virtual Interface
    disk5s1 [Partition Map] 31 KB
    disk5s2 - S*********s (Mac OS Extended) 274 MB
Mounted Volumes:
  disk1s1 - iSCPreboot [APFS Preboot]
    Filesystem: APFS
    Mount point: /System/Volumes/iSCPreboot
    Used: 6 MB
    Shared values
      Size: 524 MB
      Free: 505 MB
  disk1s2 - xART
    Filesystem: APFS
    Mount point: /System/Volumes/xarts
    Used: 6 MB
    Shared values
      Size: 524 MB
      Free: 505 MB
  disk1s3 - Hardware
    Filesystem: APFS
    Mount point: /System/Volumes/Hardware
    Used: 3 MB
    Shared values
      Size: 524 MB
      Free: 505 MB
  disk2s2 - Update
    Filesystem: APFS
    Mount point: /private/tmp/tmp-mount-RCqon9
    Used: 25 KB
    Shared values
      Size: 5.37 GB
      Free: 4.31 GB
  disk3s1s1 - Macintosh HD
    Filesystem: APFS
    Mount point: /
    Read-only: Yes
    Used: 11.20 GB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
  disk3s2 - Preboot [APFS Preboot]
    Filesystem: APFS
    Mount point: /System/Volumes/Preboot
    Used: 5.95 GB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
  disk3s3 - Recovery [Recovery]
    Filesystem: APFS
    Mount point: /Volumes/Recovery
    Used: 1.04 GB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
  disk3s4 - Update
    Filesystem: APFS
    Mount point: /System/Volumes/Update
    Used: 90 KB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
  disk3s5 - Data [APFS Virtual drive]
    Filesystem: APFS
    Mount point: /System/Volumes/Data
    Encrypted
    Used: 35.06 GB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
  disk3s6 - VM [APFS VM]
    Filesystem: APFS
    Mount point: /System/Volumes/VM
    Used: 20 KB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
USB:
  USB 3.1 bus
    <Empty>
  USB 3.1 bus
    <Empty>
  USB 3.1 bus
    <Empty>
Network:
  Interface en4: Ethernet Adapter (en4)
  Interface en5: Ethernet Adapter (en5)
  Interface en6: Ethernet Adapter (en6)
  Interface en0: Wi-Fi
    802.11 a/b/g/n/ac/ax
  Firewall:
    Blocked apps: All
    Stealth mode: enabled
System Software:
  macOS Sequoia 15.2 (24C101) 
  Time since boot: About 4 hours
Security:
  Gatekeeper: App Store and identified developers
  System Integrity Protection: Enabled
  Secure Boot: Full Security
  Antivirus software: Apple and Malwarebytes
System Extensions:
  [Not Loaded] Malwarebytes Engine - version 5.9.0 (Malwarebytes Corporation - installed 2025-01-18)
    Application: /Applications/Malwarebytes.app - version 5.9.0 (Malwarebytes Corporation - installed 2025-01-18)
    Description: The Malwarebytes Engine extension manages your connection to the Malwarebytes VPN service.
System Launch Daemons:
  [Not Loaded]  43 Apple tasks
  [Loaded]  186 Apple tasks
  [Running]  179 Apple tasks
  [Other]  2 Apple tasks
System Launch Agents:
  [Not Loaded]  22 Apple tasks
  [Loaded]  200 Apple tasks
  [Running]  224 Apple tasks
Launch Daemons:
  [Running] com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2025-01-18)
    Command: /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon -i Malwarebytes-Mac-5.9.0.1975.pkg
  [Running] com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2025-01-18)
    Executable: /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/SettingsDaemon.app/Contents/MacOS/SettingsDaemon
Launch Agents:
  [Running] com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2025-01-18)
    Executable: /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/FrontendAgent.app/Contents/MacOS/FrontendAgent
User Login Items:
  [Not Loaded] PasswordsMenuBarExtra (Apple - installed 2024-12-07)
    Modern Login Item
    /System/Applications/Passwords.app/Contents/Library/LoginItems/PasswordsMenuBarExtra.app
  [Running] WeatherMenu (Apple - installed 2024-12-07)
    Modern Login Item
    /System/Applications/Weather.app/Contents/Library/LoginItems/WeatherMenu.app
Applications:
  778 Apple apps
  29 3rd party apps
  6 x86-only apps
  No unsigned apps
App Extensions:
  Ad-blockers:
    [Loaded] Blocklist 2 - /Applications/Wipr.app
    [Loaded] Blocklist 4 - /Applications/Wipr.app
    [Loaded] Blocklist 1 - /Applications/Wipr.app
    [Loaded] Blocklist 3 - /Applications/Wipr.app
  Share services:
    [Loaded] Wipr - /Applications/Wipr.app
  Safari extensions:
    [Loaded] BrowserMask - /Applications/BrowserMask.app
    [Loaded] Obsidian Web Clipper Extension - /Applications/Obsidian Web Clipper.app
    [Loaded] Wipr Extra - /Applications/Wipr.app
    [Loaded] Safari Extension - /Applications/Proton Pass for Safari.app
  QuickLook Previews:
    [Loaded] EtreCheckQuickLook - ~/Downloads/EtreCheckPro.app
      com.etresoft.etrecheck4 *.etrecheck
Backup:
  Time Machine information is limited without Full Disk Access
Performance:
  System Load: 2.57 (1 min ago) 4.08 (5 min ago) 4.19 (15 min ago)
  Nominal I/O usage: 0.08 MB/s
  File system: 5.93 seconds
  Write speed: 6584 MB/s
  Read speed: 3750 MB/s
CPU Usage Snapshot:
  Type Overall
  System: 4 %
  User: 5 %
  Idle: 91 %
Top Processes Snapshot by CPU:
  Process (count) CPU (Source - Location)
  WindowServer 36.74 % (Apple)
  EtreCheckPro 17.36 % (Etresoft, Inc.)
  kernel_task 13.10 % (Apple)
  Safari 5.64 % (Apple)
  iTerm2 4.32 % (GEORGE NACHMAN)
Top Processes Snapshot by Memory:
  Process (count) RAM usage (Source - Location)
  com.apple.WebKit.WebContent (7) 2.34 GB (Apple)
  EtreCheckPro 1.42 GB (Etresoft, Inc.)
  iTerm2 957 MB (GEORGE NACHMAN)
  MTLCompilerService (31) 689 MB (Apple)
  mediaanalysisd 663 MB (Apple)
Top Processes Snapshot by Network Use:
  Process (count) Input / Output (Source - Location)
  com.apple.WebKit.Networking 2 MB / 22 KB (Apple)
  mDNSResponder 1 MB / 355 KB (Apple)
  apsd 74 KB / 439 KB (Apple)
  rapportd 90 KB / 280 KB (Apple)
  trustd 18 KB / 3 KB (Apple)
Top Processes Snapshot by Energy Use:
  Process (count) Energy (0-100) (Source - Location)
  WindowServer 13 (Apple)
  Sharing 5 (Not signed)
  RTProtectionDaemon 4 (Malwarebytes Corporation)
  iconservicesagent (2) 2 (Apple)
  iTerm2 2 (GEORGE NACHMAN)
Virtual Memory Information:
  Physical RAM: 48 GB
  Free RAM: 121 MB
  Used RAM: 18.53 GB
  Cached files: 29.35 GB
  Available RAM: 29.47 GB
  Swap Used: 0 B
Software Installs (past 60 days):
  Install Date Name (Version)
  2025-01-18 macOS 15.2 (15.2)
  2025-01-18 Proton Pass for Safari (1.27.2)
  2025-01-18 Malwarebytes for Mac (1.0)
  2025-01-18 MRTConfigData (1.93)
  2025-01-18 XProtectPlistConfigData (5285)
  2025-01-18 Gatekeeper Compatibility Data (1.0)
  2025-01-18 XProtectPayloads (149)
  2025-01-18 Wipr (2.2)
  2025-01-18 BrowserMask (1.2)
  2025-01-18 Obsidian Web Clipper (0.10.7)
  2025-01-18 SF Mono Fonts (6.0.1.1726709071)
Diagnostics Information (past 60 days):
  2025-01-18 19:22:30 lsd Crash (14 times)
    First occurrence: 2025-01-18 13:00:50
    Executable: /usr/libexec/lsd
  2025-01-18 16:50:55 spotlightknowledged High CPU Use
    Executable: /System/Library/Frameworks/CoreSpotlight.framework/spotlightknowledged
  2025-01-18 16:09:25 bluetoothuserd Crash (2 times)
    Executable: /usr/libexec/bluetoothuserd

End of report

 

[Mike Boreham]

I am having what I believe to be a malware issue that is persisting between Configurator restores. I've tried to explain to the Apple Store and to support on the phone but I'm not getting anywhere. I come from a Linux background but I am new to MacOS and I fear I know just enough to see that there is a problem without being able to properly articulate what the issue is. I was recently hacked in a pretty bad way that took down my personal network of about 10 nodes and I'm trying to recover from it but I can't seem to get the MacBooks cleaned no matter what I do.

I think? what is happening is that the SSV is somehow compromised and persisting through Configurator restores. I keep finding language input files in /var/root/Library/Daemon Container. Normally this wouldn't be all that odd but they're the only input language files that are in there. I also see them running here:

loginwind 1152 daksani txt REG 1,13 20236 1152921500312187653 /System/Library/Input Methods/JapaneseIM-KanaTyping.app/Contents/PlugIns/JapaneseIM-KanaTyping.appex/Contents/Resources/InfoPlist.loctable

loginwind 1152 daksani txt REG 1,13 17587 1152921500312188111 /System/Library/Input Methods/KoreanIM.app/Contents/PlugIns/KIM_Extension.appex/Contents/Resources/InfoPlist.loctable

loginwind 1152 daksani txt REG 1,13 9170 1152921500312189417 /System/Library/Input Methods/VietnameseIM.app/Contents/PlugIns/VIM_Extension.appex/Contents/Resources/InfoPlist.loctable


These appear to be VIM and KIM extensions and yet I'm very particular about not using VIM as I use nano.

The system also appears to be using a very large amount of RAM when IDLE. While I have downloaded some applications, 25Gb of ram usage seems excessive for 2 tabs on safari and 2 windows of iterm2. I ran etrecheck pro and found the following:

Top Processes Snapshot by Memory:
Process (count) RAM usage (Source - Location)
com.apple.WebKit.WebContent (7) 2.34 GB (Apple)
EtreCheckPro 1.42 GB (Etresoft, Inc.)
iTerm2 957 MB (GEORGE NACHMAN)
MTLCompilerService (31) 689 MB (Apple)
mediaanalysisd 663 MB (Apple)


MTLCompilerService seems out of place unless it's linked to Apple Intelligence? This is fresh from Configurator run from a couple of hours ago today and I haven't downloaded any development tools like WebKit or MTL, etc. I'm not really even sure what most of these are outside of iterm2 and etrecheck. I also found something called 'Sharing 5' unsigned that I'm also not sure of:

Top Processes Snapshot by Energy Use:
Process (count) Energy (0-100) (Source - Location)
WindowServer 13 (Apple)
Sharing 5 (Not signed)
RTProtectionDaemon 4 (Malwarebytes Corporation)
iconservicesagent (2) 2 (Apple)
iTerm2 2 (GEORGE NACHMAN)


Here's the full Etre Report.

https://************/ehquq

If anyone can help with removal or at least how to approach this with Apple, I'd be greatly appreciative.

You obviously have far more computer knowledge than me, but your experience is completely against what I understand is possible…..that the SSV is compromised. If the SSV fails the intensive verification carried out on every boot, the machine will not start. As in this article for example:

“The fact that a Mac can boot normally therefore guarantees that the kernel, firmware and software are exactly as intended. This is extended to the entire contents of the System volume by the SSV, using a tree of cryptographic hashes to verify them down to the last bit. Apple details this here for IT2, here for AS, and here for the SSV on both.”

 

[Toutou]

I fear I know just enough to see that there is a problem

Sorry but I'm afraid that in this case you don't know nearly enough to be able to draw any conclusions.

KIM and VIM are Korean and Vietnamese Input Methods, isn't it obvious that these aren't related to "vim" the editor? Or is there another editor called "kim"? It even says "JapaneseIM" on the line above.

It takes 10 seconds to search for "MTLCompilerService" on the web and find out what it is.
Neither WebKit nor MTL are "development tools", the former is a browser engine that Safari uses and the latter is an abbreviation sometimes used for Metal, Apple's graphics API.

Your system is most likely completely fine.

 

[bogdanw]

I was recently hacked in a pretty bad way that took down my personal network of about 10 nodes and I'm trying to recover from it but I can't seem to get the MacBooks cleaned no matter what I do.

Here we go again, same fantastical stories about hacking from a newly created account.

 

[Daksani]

Here we go again, same fantastical stories about hacking from a newly created account.

I created the account in hopes to get help, I apologize for not replying sooner but I wasn't getting notifications. I wasn't even sure if it posted. Access to the internet is tough considering these attacks have knocked out all of my computers. Most of what I'm doing has to be done from my phone.

"VIM" in this context is "Vietnamese Input Method" and has nothing to do with the vim editor. Those files are completely normal.


MTLCompilerService is part of the graphics subsystem, and again is normal.


You've linked to a prohibited site, but I've put the report below:
(reacted for east of reading)

End of report[/CODE]

Thank you for linking it, I couldn't figure out how to do it. I understand in that case what VIM means now, but I am finding .viminfo files in random places on my file system. These are files that would never be on my MacBook, and I found them on my linux machines as well. So I've also found .VIM plugins as well.

As for the MTLCompilerService I do sort of understand what's this means. I know MTL stands for Metal which is the reason I got the MacBooks in the first place but I didn't understand the context. I'm starting to suspect that they're using it for crypto mining, thought I did find a rogue installation of Homebrew, a vector database, and a 'train' command that I didn't touch on a previous wipe so it could be something related with AI.

Also I'm aware that this would normally be an innocuous thing, however, I keep seeing these kind of 'input' methods grouped together under strange users when running LSOF. I also found these language files for these specific languages in suspicious directories on my Arch Linux installation before they nuked the partitioning table.

Sorry but I'm afraid that in this case you don't know nearly enough to be able to draw any conclusions.

KIM and VIM are Korean and Vietnamese Input Methods, isn't it obvious that these aren't related to "vim" the editor? Or is there another editor called "kim"? It even says "JapaneseIM" on the line above.

It takes 10 seconds to search for "MTLCompilerService" on the web and find out what it is.
Neither WebKit nor MTL are "development tools", the former is a browser engine that Safari uses and the latter is an abbreviation sometimes used for Metal, Apple's graphics API.

Your system is most likely completely fine.

Please tell me what you need and I will provide what I can. I have an hour long video going through logs of suosmobileupdater applications and other stuff that appear to show them tampering with Malwarebytes installation and logging things like:
{
autoUpdate = false ;
buddy = false;
commandLine = true;
installTonight = false;
mdm = false;
notifications = false;
settings = false;
}

When I checked the quantize sqlite file using sqlite3, it said it wasn't a valid database file, almost like it had been encrypted. Then when I checked it a few minutes later, it was 0kb and completely empty. I also

codesign -dvv /Applications/Malwarebytes.app
which showed it signed by Malwarebytes corporation but when I ran:

spctl --assess --verbose /Applications/Malwarebytes.app

It showed it as untrusted or revoked or something by Developer ID. When I looked through the logs, kernel showed it sandboxed, which didn't seem right for something like Malwarebytes. I removed it and tried to download it again but it looked like I was being redirected to a fake site. Not sure if it was legitimate, I decided to proxy off of my phone to ensure no dns issues but found it resolving to an ipv4 address where as my work laptop would resolve ipv6. Now that could be just be happenstance but I didn't want to take any chances as I already found them (and took a picture of) them trying to phish me using dns hijacking and a fake 'protonvpn.com' website. Proton accounts are all tied together so giving away that would've given away my email and password manager as well.

I'm positive I'm hacked, and I've submitted a security report to apple due to the persistent nature of it between DFU + Configurator restores but on the Consumer level, Apple can't help me because this is technically impossible and you can't file warranty for software issues. So I'm kind of stuck in a catch 22.

Any advice would be greatly appreciated. At point I'm suspicious that it may be in the recovery volume and and that DFU+Config wipes aren't fully wiping it. Thus the reason for the Security report. But If anyone knows how I can wipe this volume, please let me know. I've tried crtutils authenticated-root disable but it's tied to the kernel at process 0 so it makes it tough to remove.

Reason I was suspicious of the Malwarebytes redirection:

IMG-0138 hosted at ImgBB

Image IMG-0138 hosted in ImgBB

ibb.co

 

[bogdanw]

I'm positive I'm hacked, and I've submitted a security report to apple due to the persistent nature of it between DFU + Configurator restores

You are entitled to an Apple Security Bounty reward payment $100,000 – $1,000,000
https://security.apple.com/bounty/categories/

 

[Mike Boreham]

I'm positive I'm hacked, and I've submitted a security report to apple due to the persistent nature of it between DFU + Configurator restores but on the Consumer level, Apple can't help me because this is technically impossible and you can't file warranty for software issues. So I'm kind of stuck in a catch 22.

I can’t explain your issues but do not believe your SSV has been hacked. Repeating the key sentence from earlier:

“The fact that a Mac can boot normally therefore guarantees that the kernel, firmware and software are exactly as intended. This is extended to the entire contents of the System volume by the SSV, using a tree of cryptographic hashes to verify them down to the last bit. Apple details this here for IT2, here for AS, and here for the SSV on both.”

DFU Configurator Restores remove the system volume, the firmware and all hidden partitions, including Recovery, from the internal.

 

[Daksani]

I can’t explain your issues but do not believe your SSV has been hacked. Repeating the key sentence from earlier:

“The fact that a Mac can boot normally therefore guarantees that the kernel, firmware and software are exactly as intended. This is extended to the entire contents of the System volume by the SSV, using a tree of cryptographic hashes to verify them down to the last bit. Apple details this here for IT2, here for AS, and here for the SSV on both.”

DFU Configurator Restores remove the system volume, the firmware and all hidden partitions, including Recovery, from the internal.

Yes it really does seem unlikely. My sudo accessed was removed again so I’m not really sure where to go from there but I can’t get them out of my Mac’s. I was able to clean Dell Inspiron with a minimal Linux distribution and logged it idle for a couple hours. I can’t really explain how it’s happening but I’ve gone through 5 routers technically so I don’t think it’s in the router. (They just bricked my 5g hot spot last night with a faulty firmware update.) My only other thought would be my phone but that seems even more implausible.

You are entitled to an Apple Security Bounty reward payment $100,000 – $1,000,000
https://security.apple.com/bounty/categories/

Yes I’m aware of the bounty, but I’m not a security researcher and have no idea how it works. Which is the problem I’m facing, unfortunately. I didn’t figure it out, I’m just the victim of it, so I’m not sure if that entitles me to anything. I’ve already submitted a report though but I’ve never submitted anything like that before and not sure if they have everything needed. It’s not like they’re going to fixed anytime soon though I’ve gone through so many restores so I guess I can just pull whatever they need later. I would be thrilled just to get them replaced under warranty because if the wear tear on the drive but would be content with just being able to use them again.


I’ve been thinking of doing another dfu while running diagnostic/logging to get it back to a state I can work with and then take control of the laptop by having an LDAP controller ready to go and joining that domain immediately upon activation. This might be enough to prevent them from taking over the MacBooks until I can get Malwarebytes running on the machines. They seem to go after it (x9, not so much) immediately so I’m assuming it catches the persistence mechanism or exploits. Anyways I’ll try to keep the thread updated if I make any progress or the diag output of the dfu restore. “

 

[bogdanw]

Yes I’m aware of the bounty, but I’m not a security researcher and have no idea how it works. Which is the problem I’m facing, unfortunately. I didn’t figure it out, I’m just the victim of it,

Get in touch with The Citizen Lab, they are experts that can help you for free https://citizenlab.ca