Help identifying MacOS Malware

[Daksani]

I am having what I believe to be a malware issue that is persisting between Configurator restores. I've tried to explain to the Apple Store and to support on the phone but I'm not getting anywhere. I come from a Linux background but I am new to MacOS and I fear I know just enough to see that there is a problem without being able to properly articulate what the issue is. I was recently hacked in a pretty bad way that took down my personal network of about 10 nodes and I'm trying to recover from it but I can't seem to get the MacBooks cleaned no matter what I do.

I think? what is happening is that the SSV is somehow compromised and persisting through Configurator restores. I keep finding language input files in /var/root/Library/Daemon Container. Normally this wouldn't be all that odd but they're the only input language files that are in there. I also see them running here:

loginwind 1152 daksani txt REG 1,13 20236 1152921500312187653 /System/Library/Input Methods/JapaneseIM-KanaTyping.app/Contents/PlugIns/JapaneseIM-KanaTyping.appex/Contents/Resources/InfoPlist.loctable

loginwind 1152 daksani txt REG 1,13 17587 1152921500312188111 /System/Library/Input Methods/KoreanIM.app/Contents/PlugIns/KIM_Extension.appex/Contents/Resources/InfoPlist.loctable

loginwind 1152 daksani txt REG 1,13 9170 1152921500312189417 /System/Library/Input Methods/VietnameseIM.app/Contents/PlugIns/VIM_Extension.appex/Contents/Resources/InfoPlist.loctable


These appear to be VIM and KIM extensions and yet I'm very particular about not using VIM as I use nano.

The system also appears to be using a very large amount of RAM when IDLE. While I have downloaded some applications, 25Gb of ram usage seems excessive for 2 tabs on safari and 2 windows of iterm2. I ran etrecheck pro and found the following:

Top Processes Snapshot by Memory:
Process (count) RAM usage (Source - Location)
com.apple.WebKit.WebContent (7) 2.34 GB (Apple)
EtreCheckPro 1.42 GB (Etresoft, Inc.)
iTerm2 957 MB (GEORGE NACHMAN)
MTLCompilerService (31) 689 MB (Apple)
mediaanalysisd 663 MB (Apple)


MTLCompilerService seems out of place unless it's linked to Apple Intelligence? This is fresh from Configurator run from a couple of hours ago today and I haven't downloaded any development tools like WebKit or MTL, etc. I'm not really even sure what most of these are outside of iterm2 and etrecheck. I also found something called 'Sharing 5' unsigned that I'm also not sure of:

Top Processes Snapshot by Energy Use:
Process (count) Energy (0-100) (Source - Location)
WindowServer 13 (Apple)
Sharing 5 (Not signed)
RTProtectionDaemon 4 (Malwarebytes Corporation)
iconservicesagent (2) 2 (Apple)
iTerm2 2 (GEORGE NACHMAN)


Here's the full Etre Report.

https://************/ehquq

If anyone can help with removal or at least how to approach this with Apple, I'd be greatly appreciative.

 

[Nermal]

These appear to be VIM and KIM extensions and yet I'm very particular about not using VIM as I use nano.

"VIM" in this context is "Vietnamese Input Method" and has nothing to do with the vim editor. Those files are completely normal.

MTLCompilerService seems out of place unless it's linked to Apple Intelligence? This is fresh from Configurator run from a couple of hours ago today and I haven't downloaded any development tools like WebKit or MTL, etc.

MTLCompilerService is part of the graphics subsystem, and again is normal.

Here's the full Etre Report.

You've linked to a prohibited site, but I've put the report below:

EtreCheckPro version: 6.8.7 (68068)
Report generated: 2025-01-18 20:01:47
Download EtreCheckPro from https://etrecheck.com
Runtime: 1:37
Performance: Excellent
Problem: Beachballing
Description: 
Random Languages like Vietnamese, Korean, and Chinese keep appearing. 
Believe the SSV might have been compromised and I can’t get rid of it.
Feel free to contact me with any advice as I know something is wrong but I can't get through to apple to explain to them that there is a problem. 
Email: (removed)
 
Major Issues: None
Minor Issues:
  These issues do not need immediate attention but they may indicate future problems or opportunities for improvement. 
  No Time Machine backup - Time Machine backup not found.
  Heavy RAM usage - Apps are using a large amount of RAM.
  Apps crashing - There have been numerous app crashes.
  Limited permissions - More information may be available with Full Disk Access.
Hardware Information:
  MacBook Pro (14-inch, 2024)
    Status: Supported
  MacBook Pro Model: Mac16,8
  Apple M4 Pro CPU: 14-core
  48 GB RAM - Not upgradeable
  Battery: Health = Normal - Cycle count = 20
Video Information:
  Apple M4 Pro
    Color LCD 3024 x 1964
Drives:
  disk0 - APPLE SSD AP1024Z 1.00 TB (Solid State - TRIM: Yes) 
  Internal Apple Fabric NVM Express
    disk0s1 [APFS Container] 524 MB
      disk1 [APFS Virtual drive] 524 MB (Shared by 4 volumes)
        disk1s1 - iSCPreboot (APFS) [APFS Preboot] (6 MB used)
        disk1s2 - xART (APFS) (6 MB used)
        disk1s3 - Hardware (APFS) (3 MB used)
        disk1s4 - Recovery (APFS) [Recovery] (20 KB used)
    disk0s2 [APFS Container] 994.66 GB
      disk3 [APFS Virtual drive] 994.66 GB (Shared by 6 volumes)
        disk3s1 (APFS) [Core Storage Container] (11.20 GB used)
          disk3s1s1 - Macintosh HD (APFS) (11.20 GB used)
        disk3s2 - Preboot (APFS) [APFS Preboot] (5.95 GB used)
        disk3s3 - Recovery (APFS) [Recovery] (1.04 GB used)
        disk3s4 - Update (APFS) (90 KB used)
        disk3s5 - Data (APFS) [APFS Virtual drive] (35.06 GB used)
        disk3s6 - VM (APFS) [APFS VM] (20 KB used)
    disk0s3 [APFS Container] 5.37 GB
      disk2 [APFS Virtual drive] 5.37 GB (Shared by 2 volumes)
        disk2s1 - Recovery (APFS) [Recovery] (1.04 GB used)
        disk2s2 - Update (APFS) (25 KB used)
  disk5 - Apple Disk Image 274 MB (Disk Image) 
  External Virtual Interface
    disk5s1 [Partition Map] 31 KB
    disk5s2 - S*********s (Mac OS Extended) 274 MB
Mounted Volumes:
  disk1s1 - iSCPreboot [APFS Preboot]
    Filesystem: APFS
    Mount point: /System/Volumes/iSCPreboot
    Used: 6 MB
    Shared values
      Size: 524 MB
      Free: 505 MB
  disk1s2 - xART
    Filesystem: APFS
    Mount point: /System/Volumes/xarts
    Used: 6 MB
    Shared values
      Size: 524 MB
      Free: 505 MB
  disk1s3 - Hardware
    Filesystem: APFS
    Mount point: /System/Volumes/Hardware
    Used: 3 MB
    Shared values
      Size: 524 MB
      Free: 505 MB
  disk2s2 - Update
    Filesystem: APFS
    Mount point: /private/tmp/tmp-mount-RCqon9
    Used: 25 KB
    Shared values
      Size: 5.37 GB
      Free: 4.31 GB
  disk3s1s1 - Macintosh HD
    Filesystem: APFS
    Mount point: /
    Read-only: Yes
    Used: 11.20 GB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
  disk3s2 - Preboot [APFS Preboot]
    Filesystem: APFS
    Mount point: /System/Volumes/Preboot
    Used: 5.95 GB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
  disk3s3 - Recovery [Recovery]
    Filesystem: APFS
    Mount point: /Volumes/Recovery
    Used: 1.04 GB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
  disk3s4 - Update
    Filesystem: APFS
    Mount point: /System/Volumes/Update
    Used: 90 KB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
  disk3s5 - Data [APFS Virtual drive]
    Filesystem: APFS
    Mount point: /System/Volumes/Data
    Encrypted
    Used: 35.06 GB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
  disk3s6 - VM [APFS VM]
    Filesystem: APFS
    Mount point: /System/Volumes/VM
    Used: 20 KB
    Shared values
      Size: 994.66 GB
      Free: 941.21 GB
      Available: 946.35 GB
USB:
  USB 3.1 bus
    <Empty>
  USB 3.1 bus
    <Empty>
  USB 3.1 bus
    <Empty>
Network:
  Interface en4: Ethernet Adapter (en4)
  Interface en5: Ethernet Adapter (en5)
  Interface en6: Ethernet Adapter (en6)
  Interface en0: Wi-Fi
    802.11 a/b/g/n/ac/ax
  Firewall:
    Blocked apps: All
    Stealth mode: enabled
System Software:
  macOS Sequoia 15.2 (24C101) 
  Time since boot: About 4 hours
Security:
  Gatekeeper: App Store and identified developers
  System Integrity Protection: Enabled
  Secure Boot: Full Security
  Antivirus software: Apple and Malwarebytes
System Extensions:
  [Not Loaded] Malwarebytes Engine - version 5.9.0 (Malwarebytes Corporation - installed 2025-01-18)
    Application: /Applications/Malwarebytes.app - version 5.9.0 (Malwarebytes Corporation - installed 2025-01-18)
    Description: The Malwarebytes Engine extension manages your connection to the Malwarebytes VPN service.
System Launch Daemons:
  [Not Loaded]  43 Apple tasks
  [Loaded]  186 Apple tasks
  [Running]  179 Apple tasks
  [Other]  2 Apple tasks
System Launch Agents:
  [Not Loaded]  22 Apple tasks
  [Loaded]  200 Apple tasks
  [Running]  224 Apple tasks
Launch Daemons:
  [Running] com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2025-01-18)
    Command: /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon -i Malwarebytes-Mac-5.9.0.1975.pkg
  [Running] com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2025-01-18)
    Executable: /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/SettingsDaemon.app/Contents/MacOS/SettingsDaemon
Launch Agents:
  [Running] com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2025-01-18)
    Executable: /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/FrontendAgent.app/Contents/MacOS/FrontendAgent
User Login Items:
  [Not Loaded] PasswordsMenuBarExtra (Apple - installed 2024-12-07)
    Modern Login Item
    /System/Applications/Passwords.app/Contents/Library/LoginItems/PasswordsMenuBarExtra.app
  [Running] WeatherMenu (Apple - installed 2024-12-07)
    Modern Login Item
    /System/Applications/Weather.app/Contents/Library/LoginItems/WeatherMenu.app
Applications:
  778 Apple apps
  29 3rd party apps
  6 x86-only apps
  No unsigned apps
App Extensions:
  Ad-blockers:
    [Loaded] Blocklist 2 - /Applications/Wipr.app
    [Loaded] Blocklist 4 - /Applications/Wipr.app
    [Loaded] Blocklist 1 - /Applications/Wipr.app
    [Loaded] Blocklist 3 - /Applications/Wipr.app
  Share services:
    [Loaded] Wipr - /Applications/Wipr.app
  Safari extensions:
    [Loaded] BrowserMask - /Applications/BrowserMask.app
    [Loaded] Obsidian Web Clipper Extension - /Applications/Obsidian Web Clipper.app
    [Loaded] Wipr Extra - /Applications/Wipr.app
    [Loaded] Safari Extension - /Applications/Proton Pass for Safari.app
  QuickLook Previews:
    [Loaded] EtreCheckQuickLook - ~/Downloads/EtreCheckPro.app
      com.etresoft.etrecheck4 *.etrecheck
Backup:
  Time Machine information is limited without Full Disk Access
Performance:
  System Load: 2.57 (1 min ago) 4.08 (5 min ago) 4.19 (15 min ago)
  Nominal I/O usage: 0.08 MB/s
  File system: 5.93 seconds
  Write speed: 6584 MB/s
  Read speed: 3750 MB/s
CPU Usage Snapshot:
  Type Overall
  System: 4 %
  User: 5 %
  Idle: 91 %
Top Processes Snapshot by CPU:
  Process (count) CPU (Source - Location)
  WindowServer 36.74 % (Apple)
  EtreCheckPro 17.36 % (Etresoft, Inc.)
  kernel_task 13.10 % (Apple)
  Safari 5.64 % (Apple)
  iTerm2 4.32 % (GEORGE NACHMAN)
Top Processes Snapshot by Memory:
  Process (count) RAM usage (Source - Location)
  com.apple.WebKit.WebContent (7) 2.34 GB (Apple)
  EtreCheckPro 1.42 GB (Etresoft, Inc.)
  iTerm2 957 MB (GEORGE NACHMAN)
  MTLCompilerService (31) 689 MB (Apple)
  mediaanalysisd 663 MB (Apple)
Top Processes Snapshot by Network Use:
  Process (count) Input / Output (Source - Location)
  com.apple.WebKit.Networking 2 MB / 22 KB (Apple)
  mDNSResponder 1 MB / 355 KB (Apple)
  apsd 74 KB / 439 KB (Apple)
  rapportd 90 KB / 280 KB (Apple)
  trustd 18 KB / 3 KB (Apple)
Top Processes Snapshot by Energy Use:
  Process (count) Energy (0-100) (Source - Location)
  WindowServer 13 (Apple)
  Sharing 5 (Not signed)
  RTProtectionDaemon 4 (Malwarebytes Corporation)
  iconservicesagent (2) 2 (Apple)
  iTerm2 2 (GEORGE NACHMAN)
Virtual Memory Information:
  Physical RAM: 48 GB
  Free RAM: 121 MB
  Used RAM: 18.53 GB
  Cached files: 29.35 GB
  Available RAM: 29.47 GB
  Swap Used: 0 B
Software Installs (past 60 days):
  Install Date Name (Version)
  2025-01-18 macOS 15.2 (15.2)
  2025-01-18 Proton Pass for Safari (1.27.2)
  2025-01-18 Malwarebytes for Mac (1.0)
  2025-01-18 MRTConfigData (1.93)
  2025-01-18 XProtectPlistConfigData (5285)
  2025-01-18 Gatekeeper Compatibility Data (1.0)
  2025-01-18 XProtectPayloads (149)
  2025-01-18 Wipr (2.2)
  2025-01-18 BrowserMask (1.2)
  2025-01-18 Obsidian Web Clipper (0.10.7)
  2025-01-18 SF Mono Fonts (6.0.1.1726709071)
Diagnostics Information (past 60 days):
  2025-01-18 19:22:30 lsd Crash (14 times)
    First occurrence: 2025-01-18 13:00:50
    Executable: /usr/libexec/lsd
  2025-01-18 16:50:55 spotlightknowledged High CPU Use
    Executable: /System/Library/Frameworks/CoreSpotlight.framework/spotlightknowledged
  2025-01-18 16:09:25 bluetoothuserd Crash (2 times)
    Executable: /usr/libexec/bluetoothuserd

End of report

 

[Mike Boreham]

I am having what I believe to be a malware issue that is persisting between Configurator restores. I've tried to explain to the Apple Store and to support on the phone but I'm not getting anywhere. I come from a Linux background but I am new to MacOS and I fear I know just enough to see that there is a problem without being able to properly articulate what the issue is. I was recently hacked in a pretty bad way that took down my personal network of about 10 nodes and I'm trying to recover from it but I can't seem to get the MacBooks cleaned no matter what I do.

I think? what is happening is that the SSV is somehow compromised and persisting through Configurator restores. I keep finding language input files in /var/root/Library/Daemon Container. Normally this wouldn't be all that odd but they're the only input language files that are in there. I also see them running here:

loginwind 1152 daksani txt REG 1,13 20236 1152921500312187653 /System/Library/Input Methods/JapaneseIM-KanaTyping.app/Contents/PlugIns/JapaneseIM-KanaTyping.appex/Contents/Resources/InfoPlist.loctable

loginwind 1152 daksani txt REG 1,13 17587 1152921500312188111 /System/Library/Input Methods/KoreanIM.app/Contents/PlugIns/KIM_Extension.appex/Contents/Resources/InfoPlist.loctable

loginwind 1152 daksani txt REG 1,13 9170 1152921500312189417 /System/Library/Input Methods/VietnameseIM.app/Contents/PlugIns/VIM_Extension.appex/Contents/Resources/InfoPlist.loctable


These appear to be VIM and KIM extensions and yet I'm very particular about not using VIM as I use nano.

The system also appears to be using a very large amount of RAM when IDLE. While I have downloaded some applications, 25Gb of ram usage seems excessive for 2 tabs on safari and 2 windows of iterm2. I ran etrecheck pro and found the following:

Top Processes Snapshot by Memory:
Process (count) RAM usage (Source - Location)
com.apple.WebKit.WebContent (7) 2.34 GB (Apple)
EtreCheckPro 1.42 GB (Etresoft, Inc.)
iTerm2 957 MB (GEORGE NACHMAN)
MTLCompilerService (31) 689 MB (Apple)
mediaanalysisd 663 MB (Apple)


MTLCompilerService seems out of place unless it's linked to Apple Intelligence? This is fresh from Configurator run from a couple of hours ago today and I haven't downloaded any development tools like WebKit or MTL, etc. I'm not really even sure what most of these are outside of iterm2 and etrecheck. I also found something called 'Sharing 5' unsigned that I'm also not sure of:

Top Processes Snapshot by Energy Use:
Process (count) Energy (0-100) (Source - Location)
WindowServer 13 (Apple)
Sharing 5 (Not signed)
RTProtectionDaemon 4 (Malwarebytes Corporation)
iconservicesagent (2) 2 (Apple)
iTerm2 2 (GEORGE NACHMAN)


Here's the full Etre Report.

https://************/ehquq

If anyone can help with removal or at least how to approach this with Apple, I'd be greatly appreciative.

You obviously have far more computer knowledge than me, but your experience is completely against what I understand is possible…..that the SSV is compromised. If the SSV fails the intensive verification carried out on every boot, the machine will not start. As in this article for example:

“The fact that a Mac can boot normally therefore guarantees that the kernel, firmware and software are exactly as intended. This is extended to the entire contents of the System volume by the SSV, using a tree of cryptographic hashes to verify them down to the last bit. Apple details this here for IT2, here for AS, and here for the SSV on both.”

 

[Toutou]

I fear I know just enough to see that there is a problem

Sorry but I'm afraid that in this case you don't know nearly enough to be able to draw any conclusions.

KIM and VIM are Korean and Vietnamese Input Methods, isn't it obvious that these aren't related to "vim" the editor? Or is there another editor called "kim"? It even says "JapaneseIM" on the line above.

It takes 10 seconds to search for "MTLCompilerService" on the web and find out what it is.
Neither WebKit nor MTL are "development tools", the former is a browser engine that Safari uses and the latter is an abbreviation sometimes used for Metal, Apple's graphics API.

Your system is most likely completely fine.

 

[bogdanw]

I was recently hacked in a pretty bad way that took down my personal network of about 10 nodes and I'm trying to recover from it but I can't seem to get the MacBooks cleaned no matter what I do.

Here we go again, same fantastical stories about hacking from a newly created account.

 

[Daksani]

Here we go again, same fantastical stories about hacking from a newly created account.

I created the account in hopes to get help, I apologize for not replying sooner but I wasn't getting notifications. I wasn't even sure if it posted. Access to the internet is tough considering these attacks have knocked out all of my computers. Most of what I'm doing has to be done from my phone.

"VIM" in this context is "Vietnamese Input Method" and has nothing to do with the vim editor. Those files are completely normal.


MTLCompilerService is part of the graphics subsystem, and again is normal.


You've linked to a prohibited site, but I've put the report below:
(reacted for east of reading)

End of report[/CODE]

Thank you for linking it, I couldn't figure out how to do it. I understand in that case what VIM means now, but I am finding .viminfo files in random places on my file system. These are files that would never be on my MacBook, and I found them on my linux machines as well. So I've also found .VIM plugins as well.

As for the MTLCompilerService I do sort of understand what's this means. I know MTL stands for Metal which is the reason I got the MacBooks in the first place but I didn't understand the context. I'm starting to suspect that they're using it for crypto mining, thought I did find a rogue installation of Homebrew, a vector database, and a 'train' command that I didn't touch on a previous wipe so it could be something related with AI.

Also I'm aware that this would normally be an innocuous thing, however, I keep seeing these kind of 'input' methods grouped together under strange users when running LSOF. I also found these language files for these specific languages in suspicious directories on my Arch Linux installation before they nuked the partitioning table.

Sorry but I'm afraid that in this case you don't know nearly enough to be able to draw any conclusions.

KIM and VIM are Korean and Vietnamese Input Methods, isn't it obvious that these aren't related to "vim" the editor? Or is there another editor called "kim"? It even says "JapaneseIM" on the line above.

It takes 10 seconds to search for "MTLCompilerService" on the web and find out what it is.
Neither WebKit nor MTL are "development tools", the former is a browser engine that Safari uses and the latter is an abbreviation sometimes used for Metal, Apple's graphics API.

Your system is most likely completely fine.

Please tell me what you need and I will provide what I can. I have an hour long video going through logs of suosmobileupdater applications and other stuff that appear to show them tampering with Malwarebytes installation and logging things like:
{
autoUpdate = false ;
buddy = false;
commandLine = true;
installTonight = false;
mdm = false;
notifications = false;
settings = false;
}

When I checked the quantize sqlite file using sqlite3, it said it wasn't a valid database file, almost like it had been encrypted. Then when I checked it a few minutes later, it was 0kb and completely empty. I also

codesign -dvv /Applications/Malwarebytes.app
which showed it signed by Malwarebytes corporation but when I ran:

spctl --assess --verbose /Applications/Malwarebytes.app

It showed it as untrusted or revoked or something by Developer ID. When I looked through the logs, kernel showed it sandboxed, which didn't seem right for something like Malwarebytes. I removed it and tried to download it again but it looked like I was being redirected to a fake site. Not sure if it was legitimate, I decided to proxy off of my phone to ensure no dns issues but found it resolving to an ipv4 address where as my work laptop would resolve ipv6. Now that could be just be happenstance but I didn't want to take any chances as I already found them (and took a picture of) them trying to phish me using dns hijacking and a fake 'protonvpn.com' website. Proton accounts are all tied together so giving away that would've given away my email and password manager as well.

I'm positive I'm hacked, and I've submitted a security report to apple due to the persistent nature of it between DFU + Configurator restores but on the Consumer level, Apple can't help me because this is technically impossible and you can't file warranty for software issues. So I'm kind of stuck in a catch 22.

Any advice would be greatly appreciated. At point I'm suspicious that it may be in the recovery volume and and that DFU+Config wipes aren't fully wiping it. Thus the reason for the Security report. But If anyone knows how I can wipe this volume, please let me know. I've tried crtutils authenticated-root disable but it's tied to the kernel at process 0 so it makes it tough to remove.

Reason I was suspicious of the Malwarebytes redirection:

IMG-0138 hosted at ImgBB

Image IMG-0138 hosted in ImgBB

ibb.co

 

[bogdanw]

I'm positive I'm hacked, and I've submitted a security report to apple due to the persistent nature of it between DFU + Configurator restores

You are entitled to an Apple Security Bounty reward payment $100,000 – $1,000,000
https://security.apple.com/bounty/categories/

 

[Mike Boreham]

I'm positive I'm hacked, and I've submitted a security report to apple due to the persistent nature of it between DFU + Configurator restores but on the Consumer level, Apple can't help me because this is technically impossible and you can't file warranty for software issues. So I'm kind of stuck in a catch 22.

I can’t explain your issues but do not believe your SSV has been hacked. Repeating the key sentence from earlier:

“The fact that a Mac can boot normally therefore guarantees that the kernel, firmware and software are exactly as intended. This is extended to the entire contents of the System volume by the SSV, using a tree of cryptographic hashes to verify them down to the last bit. Apple details this here for IT2, here for AS, and here for the SSV on both.”

DFU Configurator Restores remove the system volume, the firmware and all hidden partitions, including Recovery, from the internal.

 

[Daksani]

I can’t explain your issues but do not believe your SSV has been hacked. Repeating the key sentence from earlier:

“The fact that a Mac can boot normally therefore guarantees that the kernel, firmware and software are exactly as intended. This is extended to the entire contents of the System volume by the SSV, using a tree of cryptographic hashes to verify them down to the last bit. Apple details this here for IT2, here for AS, and here for the SSV on both.”

DFU Configurator Restores remove the system volume, the firmware and all hidden partitions, including Recovery, from the internal.

Yes it really does seem unlikely. My sudo accessed was removed again so I’m not really sure where to go from there but I can’t get them out of my Mac’s. I was able to clean Dell Inspiron with a minimal Linux distribution and logged it idle for a couple hours. I can’t really explain how it’s happening but I’ve gone through 5 routers technically so I don’t think it’s in the router. (They just bricked my 5g hot spot last night with a faulty firmware update.) My only other thought would be my phone but that seems even more implausible.

You are entitled to an Apple Security Bounty reward payment $100,000 – $1,000,000
https://security.apple.com/bounty/categories/

Yes I’m aware of the bounty, but I’m not a security researcher and have no idea how it works. Which is the problem I’m facing, unfortunately. I didn’t figure it out, I’m just the victim of it, so I’m not sure if that entitles me to anything. I’ve already submitted a report though but I’ve never submitted anything like that before and not sure if they have everything needed. It’s not like they’re going to fixed anytime soon though I’ve gone through so many restores so I guess I can just pull whatever they need later. I would be thrilled just to get them replaced under warranty because if the wear tear on the drive but would be content with just being able to use them again.


I’ve been thinking of doing another dfu while running diagnostic/logging to get it back to a state I can work with and then take control of the laptop by having an LDAP controller ready to go and joining that domain immediately upon activation. This might be enough to prevent them from taking over the MacBooks until I can get Malwarebytes running on the machines. They seem to go after it (x9, not so much) immediately so I’m assuming it catches the persistence mechanism or exploits. Anyways I’ll try to keep the thread updated if I make any progress or the diag output of the dfu restore. “

 

[bogdanw]

Yes I’m aware of the bounty, but I’m not a security researcher and have no idea how it works. Which is the problem I’m facing, unfortunately. I didn’t figure it out, I’m just the victim of it,

Get in touch with The Citizen Lab, they are experts that can help you for free https://citizenlab.ca

 

[Daksani]

Get in touch with The Citizen Lab, they are experts that can help you for free https://citizenlab.ca

Just wanted to say thank you. I have never heard of them and reached out. They couldn’t help due to how they do their research but they got me in touch with Access Now who looks like they’re going to help me get this sorted out.

 

[Mike Boreham]

Just wanted to say thank you. I have never heard of them and reached out. They couldn’t help due to how they do their research but they got me in touch with Access Now who looks like they’re going to help me get this sorted out.

This whole story sounds so bizarre I feel something else not mentioned could be at play. eg I know absolutely nothing about it but believe businesses can have machines assigned to them under an MDM agreement, which might change the state of the machine when activated. Is it possible this applies to your machine?

 

[Daksani]

Hello, I posted a month or so back Trying to get help with malware that seemed to persist after the DFU restore process on silicon macOS. I was having a heck of a time getting my machine cleaned and I’m still trying to get rid of it. I’ve discovered what I believe is proof that the DFU process is compromised. By sheer luck I found a log detailing the process during the restore. Which to my understanding shouldn’t be possible given the nature of it wiping the system down to the firmware. I’ve gathered additional logs, dumped the vram, etc and still have 2 MacBooks that have been offline that still currently have the volume and malware inside of it that have persisted through full dfu restores. If anyone here is familiar and experienced with the APFS_Recovery volume, its creation, and the dfu restore process, please let me know. I would like to confirm what I’m seeing and that this is what it looks before updating my disclosure case with Apple and going public with it. It would highlight a glaring flaw in The design of the silicon based Mac and iOS along with the opportunity to bring up the discussion of Apple locking users out of being able to boot unsigned OSs. A simple bootable Linux live OS and the DD command would rendered this attack useless but as it stands, we can not do that and thus I’ve been unable to use my Mac’s for months with no recourse. Apple doesn’t have a fail safe support option. Everyone I spoke with at Apple said they couldn’t help because it wasn’t supposed to be possible. Well I’m pretty sure I have found that proof but I need to run it by someone who is experienced in this particular area. Thank you.

 

[Daksani]

This whole story sounds so bizarre I feel something else not mentioned could be at play. eg I know absolutely nothing about it but believe businesses can have machines assigned to them under an MDM agreement, which might change the state of the machine when activated. Is it possible this applies to your machine?

It turns out it was an APT (most likely APT41 I believe due to the similarities of attack strategies but unable to confirm) targeting me because of the company I worked for which dealt in government contracts with the local expressway authorities and traffic management. I handled new lane deployments and they were doing everything possible to try to get into our clients systems. I guess China has been focusing a lot attacks on civil infrastructure. I ended up losing my job last week because of this situation. Was targeted because of my employer, was fired because I was targeted. The whole situation is a mess but basically there is no such thing as help for the little guy when it comes to cyber attacks. I had to pretty much get a crash course in advanced cybersecurity techniques and MacOS pretty quickly. As I mentioned above... by accident... (meant to start a new thread but I was pretty tired when I posted that) I believe I have the evidence that this kind of persists-through-dfu malware can exist.

Also to answer your questions, interestingly enough, they didn't really use mdm, at least not from what I could see. They:

- Would have the malware persist through the firmware after DFU+Restore.
- This would give them a backdoor into the system.
- With that backdoor they would install all kinds of a parental controls. And modify XPC Libraries? Or something of that nature, to remove things like settings right out of the settings menu. So there would be settings like for instance 'VPN' in network that just wouldn't be there.
- Use 'provisioning profiles' that I couldn't remove or see. (Though those were the only things that came up when running 'profiles' with appropriate switches so I don't believe mdm was involved unless they sandboxed me. Which is also possible. Also I created and installed my own certificate with a fake company on my phone early on after all this started using 'iMazing' blueprints that prevented any other 'companies' from claiming the device so I think this helped.)

- Then they somehow get a certificate installed, I think through just spamming a working a vpn service with a certificate update command, which would route all of the traffic locally through an internal ipv6 ip. This combined with the certificate decrypts the traffic and they could monitor me, hijack my dns, and then send me through to where they wanted to go. Anything that went against 'the grain' was shut down with resistance. I even had them turn off my internet, take away my administrative/sudo access, and wipe my MacBook with volumes that created from xtools (stuff like vision or Apple TV FS) and would eventually just take the whole thing down or make it so you couldn't move.

This was just on Mac. They would get into the nvram/efi of my other laptops/pc's and persist through full disk erasure. Amongst many other things depending on the OS. I've gone through 13 routers and purchased 2 new MacBooks since this started, received 2 new work computers, and bought 2 extra mini pc's. I'm just finally getting peace, not because I beat them, but because I'm not longer of use to them since I was let fired from my employer. Though to be fair, had I known that without a doubt, I would've quit months ago to make this whole thing stop. There's a lot more to it like tactics and stuff they would do and how I figured a lot of it out but it would turn this into a novel since it's been an ongoing thing for months. Pretty **** experience tbh 0/10 do not recommend.

 

[bogdanw]

It turns out it was an APT (most likely APT41 I believe due to the similarities of attack strategies but unable to confirm)

No one on this forum can help you with an APT threat. Contact the FBI https://www.fbi.gov/wanted/cyber/apt-41-group

 

[Daksani]

You think I haven't? I've already spoken to the FBI, CISA, and even my local law enforcement. I have the reports sitting right here including the one to the FBI. I'm sure you can guess how much good it did, but in case you were wondering, none. The federal government doesn't care unless you're a large enterprise/entity with multiple employees underneath you. CISA just refers you to the FBI due them only being interested in infrastructure, as does the local PD because they don't know what to do. There is no such thing as support with the exception of 'Access Now' which, only deals with people who are activists or otherwise a part of 'civil society.' There is quite literally, nobody to help. Unless you have about 50 grand for an incident response team. Or 20 Grand just to talk to a consultant. Most wouldn't even return my calls because I wasn't an enterprise. It's just not worth it to them. I even tried to get EDR from Crowdstrike and they turned me down. This is the reason I'm looking into building my own Ai based EDR that's available to everyone, not just enterprises and starting a non profit to help people who are going through what I went through.

Also, I'm pretty sure I didn't ask help in any of my recent comments. I was replying to someone else who was curious about the MDM techniques and explained what they were doing instead since I knew more about the situation. Because you're right, I know more about them and their tactics at this point than anyone in this forum considering I dealt with their nonsense every single day for the past 3 months....

I'm looking for someone who's experienced enough with the process I mentioned (DFU+Restore) for a peer review on what I found, so I can either disclose the vulnerability and push Apple to get it patched, or keep investigating how they persisted through the restores.