Help identifying macOS Malware

[Daksani]

I am having what I believe to be a malware issue that is persisting between Configurator restores. I've tried to explain to the Apple Store and to support on the phone but I'm not getting anywhere. I come from a Linux background but I am new to MacOS and I fear I know just enough to see that there is a problem without being able to properly articulate what the issue is. I was recently hacked in a pretty bad way that took down my personal network of about 10 nodes and I'm trying to recover from it but I can't seem to get the MacBooks cleaned no matter what I do.

I think? what is happening is that the SSV is somehow compromised and persisting through Configurator restores. I keep finding language input files in /var/root/Library/Daemon Container. Normally this wouldn't be all that odd but they're the only input language files that are in there. I also see them running here:

loginwind 1152 daksani txt REG 1,13 20236 1152921500312187653 /System/Library/Input Methods/JapaneseIM-KanaTyping.app/Contents/PlugIns/JapaneseIM-KanaTyping.appex/Contents/Resources/InfoPlist.loctable

loginwind 1152 daksani txt REG 1,13 17587 1152921500312188111 /System/Library/Input Methods/KoreanIM.app/Contents/PlugIns/KIM_Extension.appex/Contents/Resources/InfoPlist.loctable

loginwind 1152 daksani txt REG 1,13 9170 1152921500312189417 /System/Library/Input Methods/VietnameseIM.app/Contents/PlugIns/VIM_Extension.appex/Contents/Resources/InfoPlist.loctable


These appear to be VIM and KIM extensions and yet I'm very particular about not using VIM as I use nano.

The system also appears to be using a very large amount of RAM when IDLE. While I have downloaded some applications, 25Gb of ram usage seems excessive for 2 tabs on safari and 2 windows of iterm2. I ran etrecheck pro and found the following:

Top Processes Snapshot by Memory:
Process (count) RAM usage (Source - Location)
com.apple.WebKit.WebContent (7) 2.34 GB (Apple)
EtreCheckPro 1.42 GB (Etresoft, Inc.)
iTerm2 957 MB (GEORGE NACHMAN)
MTLCompilerService (31) 689 MB (Apple)
mediaanalysisd 663 MB (Apple)


MTLCompilerService seems out of place unless it's linked to Apple Intelligence? This is fresh from Configurator run from a couple of hours ago today and I haven't downloaded any development tools like WebKit or MTL, etc. I'm not really even sure what most of these are outside of iterm2 and etrecheck. I also found something called 'Sharing 5' unsigned that I'm also not sure of:

Top Processes Snapshot by Energy Use:
Process (count) Energy (0-100) (Source - Location)
WindowServer 13 (Apple)
Sharing 5 (Not signed)
RTProtectionDaemon 4 (Malwarebytes Corporation)
iconservicesagent (2) 2 (Apple)
iTerm2 2 (GEORGE NACHMAN)


Here's the full Etre Report.

Unremovable MacOS Malware Report

justpaste.it

If anyone can help with removal or at least how to approach this with Apple, I'd be greatly appreciative.

 

[MacsBug]

Hi there and sorry for the delay in replying.

What you are seeing is normal macOS files. You dont have any malware.

As far as the ram useage with 48GB of ram having 25GB used with what you have installed is not abnormal. On my system with 128GB of RAM, I use 30GB with no apps running. You have Malwarebytes installed which uses a lot of ram. Depending what you are doing on the web, it may not be needed, and if you unistall it you would use a little less ram.

 

[Daksani]

Hi there and sorry for the delay in replying.

What you are seeing is normal macOS files. You dont have any malware.

As far as the ram useage with 48GB of ram having 25GB used with what you have installed is not abnormal. On my system with 128GB of RAM, I use 30GB with no apps running. You have Malwarebytes installed which uses a lot of ram. Depending what you are doing on the web, it may not be needed, and if you unistall it you would use a little less ram.

No worries and thanks for your reply! I did find that those files are generally harmless and the VIM means Vietnamese input method but if found those kind of comes ( not the same ones, just the sane language) on other suspicious directories on compromised OS’s. I do a lot of web surfing and download a lot of development applications that aren’t available in the App Store (like windsurf IDE) so I try to keep active protection up. Plus iirc the most wide spread virus in NA is adload so I try to keep protection up. I used to have x9 internet security running before this attack (extra firewall + active virus scanning) and I don’t remember it running above 10. I mimic the same install on my air which is only 16gb and I could still work, etc. I keep track of ram usage because I run a lot of AI inference

Malwarebytes I think is the one thing they target first. I am hesitant to not include it because I found logs of suosmobileinstaller doing something like:


{
autoUpdate = false ;
buddy = false;
commandLine = true;
installTonight = false;
mdm = false;
notifications = false;
settings = false;
}

During the Malwarebytes install. When I checked the database sqlite file using sqlite3, it said it wasn't a valid database file, and cat made it look like it had been encrypted. Then when I checked it a few minutes later, it was 0kb and completely empty. I also

codesign -dvv /Applications/Malwarebytes.app
which showed it was signed by Malwarebytes corporation but when I ran:

spctl --assess --verbose /Applications/Malwarebytes.app

It showed it as untrusted or revoked by Developer ID. When I looked through the logs, kernel showed it sandboxed, which didn't seem right for something like Malwarebytes. How can you actively prevent virus infections if it’s sandboxed? I don’t have anything to compare it against though so I can’t confirm either way. I suspect, however trust suosmobileinstaller was interfering with install and causing it to become untrusted.

Either way I’m convinced there are hackers targeting me. I’ve lost 8 computers and 5 routers now since Christmas, and any time I try to go against ‘the grain’ (like manually uploading a clean Malwarebytes app) stuff happens like my sudo access being revoked or my password being changed. I’ve also caught them trying to blatantly phish me for my password manager credentials by controlling the DNS and redirecting me to locally hosted fake websites. I’ve sent a report in to Apple security team but I’d just like to get them cleaned so I can use them again.

(Edit: Typos because autocorrect on phone)

 

[Nd0125]

I have the EXACT same issue! I have been digging into this, and I am really convinced it is malware. Reasons why beyond the obvious random UI anomalies- 1) when setting up the Mac after a restore, a legacy language chooser dialogue pops up and disappears -like a UI glitch. Except, after reviewing files related to “login-window”, it appears to be some sort of hook that creates another user when you enter in your credentials. 2) nvram shows the entry “IDv2Installer”, which seems to relate to porting Asahi to macOS, or at least that is one of the things I’ve read. Even after clearing it, it repopulates. 3) The ioreg function shows a surface root, forked off by some io interface, and the diskutil function noted that the boot disk’s UUID was “IOcontent”. 4) It appears that /usr is the root mount point of another disk, apparently the cryptex OS.dmg mount. Reviewing the logs, and tracing daemons using launchctl, it appears that the environment is bootstrapped by a xpc executable. 5) I noticed multiple references to “private/../../var” which is an indicator of compromise of a CVE directory traversal hack which was supposedly “patched” by Apple in a recent update. The crux of the issue was the ability for a disk image to mount over /private/tmp at runtime. 6) the /etc directory plays a substantial role. Of the files I reviewed, the most suspect included an auto_home mount referencing an executable in C+, bashrc and zshrc files which made reference to “if inside of emacs do this”, ssh keys, an openSSL cert, a bunch of postfix configuration files, even more cups configuration files, and a bunch of Pam configuration files which appear to enable the malware to do as it pleases without necessitating security prompts from the user. 7) There is extensive use of Apache module configurations, Opendirectory, and Kerberos which appear to create a sysadmin user with entitlements at least equal to that of the true local administrator. 8) Even if all the above were somehow explained off as macOS-native, the nail in the coffin were syslogs which indicated directories in the following scheme: /\ . /\ . / - which is basically equivalent to / / /. 9) Why has this persisted through Restores, including DFU? Well from recovery mode diags, there are a few things that I notice are going on. The first is that the package appears symlinked to various plugins located on the OS itself - any of which may be malign. During installation, there are multiple calls from powerd, and a privileged helper tool which are initially rejected. The installer proceeds to download the OS payloads from the standard apple swdn URL. Upon unzipping, however, something seems to go wrong. I wish I knew the precise mechanism. But simply put, the installer thinks it is relying on the authentic OS-bundled docs when it seems to permit another process to take over the installation, and with some reference to falling back to AMFI permissive cache. I am just pondering here, but ifconfig indicated the existence of multiple linked physical and virtual interfaces, which could have enabled some sort of MITM attach during installation. I brought my M2 computer in for a repair at Apple, and the initial diagnosis is an issue in the “power board” - specifically the USB-c connector. We will see, but in the meantime I’m not using my iCloud.