Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

haralds

macrumors 68030
Jan 3, 2014
2,985
1,251
Silicon Valley, CA
If you are "wiping" your disk you need to make sure to remove all volumes and volume groups via Recovery. Make sure you "View" "All Devices."
Just erasing the main volume or volume group is not enough.
 

angeledsa

macrumors newbie
Nov 11, 2022
2
0
Texas / DC-Baltimore
If you are "wiping" your disk you need to make sure to remove all volumes and volume groups via Recovery. Make sure you "View" "All Devices."
Just erasing the main volume or volume group is not enough.
Thank you for the reply/advice! The issue that I've noticed is there will be a 2nd device/container that seemingly is part of a process that replaces my manually deleted volume when I try to start fresh, and then disconnect. Sometimes I can catch it in the process but the end result is the same - I have a seemingly "clean" but pwned MacOS install.

EDIT: I also think this process is part of the modified boot loader / recovery disk / erase process that this malware installs. Interestingly, when I boot cycle, I will get a recovery disk where I have no wifi icon in the menu bar, but the machine has connectivity. Despite that, it will never contact Apple's server to activate, but if I go to the Recovery > Restart, or click Disk Utility, I can then access a functional (but still modified) Recovery Disk.

I noticed that on the first pass of Recovery Disk when my machine is compromised, the keyboard/language option is "ABC" with nothing else. On the more functional pass (after manually entering Recovery again, by "Quit"ing the application in the menu), the language options are as expected.

After typing this, I'm realizing that Disk Utility itself is probably compromised to behave in this way. Another interesting point is that it seems like it restores a point in time image, but hides the non-factory files somehow - there have been installs where I have been able to access what looked like my user data, even with old usernames and device names.
 
Last edited:

kitKAC

macrumors 6502a
Feb 26, 2022
877
849
Thank you for the reply/advice! The issue that I've noticed is there will be a 2nd device/container that seemingly is part of a process that replaces my manually deleted volume when I try to start fresh, and then disconnect. Sometimes I can catch it in the process but the end result is the same - I have a seemingly "clean" but pwned MacOS install.

EDIT: I also think this process is part of the modified boot loader / recovery disk / erase process that this malware installs. Interestingly, when I boot cycle, I will get a recovery disk where I have no wifi icon in the menu bar, but the machine has connectivity. Despite that, it will never contact Apple's server to activate, but if I go to the Recovery > Restart, or click Disk Utility, I can then access a functional (but still modified) Recovery Disk.

I noticed that on the first pass of Recovery Disk when my machine is compromised, the keyboard/language option is "ABC" with nothing else. On the more functional pass (after manually entering Recovery again, by "Quit"ing the application in the menu), the language options are as expected.

After typing this, I'm realizing that Disk Utility itself is probably compromised to behave in this way. Another interesting point is that it seems like it restores a point in time image, but hides the non-factory files somehow - there have been installs where I have been able to access what looked like my user data, even with old usernames and device names.
Screenshots or pics of what you're seeing would be useful here.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.