EFI Malware - DNS Hijacking

I agree with you fully and tbh I have gone to great lengths to learn as much as I could alone over a year. I provided apple with constant sysdiagnosis over a year as well and honestly felt pretty bad for contacting support and having it escalated to the engineers.

That being said one of my responses from the engineers was "How to reinstall an OS" which gave me the impression they didn't read the report or best I could do in summarizing my findings. I was attempting some pretty advanced stuff trying to provide them what I thought they might need to investigate. I offered to do as much groundwork for them as possible if they could just explain to me what I needed to gather or test.

The problem is Apple is somewhat a blackbox when it comes to security and for someone who works in IT I realize they cannot do everything and frankly they probably don't care for older models that soon will be obsolete. I also know it's 99% likely I am wrong and they are correct but here is the problem or the issue I had with them.

99% of their users call about god knows what and I don't blame them for not taking it seriously. But what seemed to happen is I sort of fell into a group they just don't support. I know enough to test and learn at a pretty granular level but that is very different from understanding the OS or security framework in any depth. I am able to identify stuff I know for sure is malicious or at least very abnormal but not enough to confirm my suspicions or what evidence I have. I understood this and went out of my way to try to do as much as I could on my end to be sure before I reported it and offered to test or provide anything they needed. I have all the data preserved across 4 drives now removed.

I couldn't even get an answer from the engineering team. Anyone I could reach by phone would assure me what I am talking about is impossible but that's just because they don't know about this stuff and they just go with what they have heard. I don't blame them but as I tried many times to just talk with with someone in the engineering team to just basically say "are you positive this is nothing?" and ask for a very high level explanation of what I would need to learn in order to verify that on my end.

Searching logs and trying to learn about how persistence would work at the hardware level one of my searches lead me to a github repo of a security researcher who literally describes something that is almost exactly as I described it in my first support ticket to apple. He had reported it to the FBI and they gave him some info on it and confirmed it was indeed malware even though Apple says it isn't.

rickmark commented on Oct 10, 2017

To be utterly overt, the FBI has confirmed MojoKDP / Thor and Loki as malware. I have received permission to publish from the San Francisco division, and you can plainly see that this is an old version of the firmware vs. your repository for that model.

rickmark commented on Dec 4, 2019

This is in fact an internal tool used by Apple developers that has been weaponized. MojoKDP provides a kernel debugger on the same box, and has no purpose on consumer machines

source: https://github.com/rickmark/mojo_thor/issues/1

source: https://github.com/rickmark/mojo_thor

The problem is this, if this is indeed what I have would apple even acknowledge it publicly or to me? From what I understand there may not be a fix for this once the loophole has been exploited so if that is the case I assume their policy would be patch it moving forward and stay a quiet about it as possible if it cannot be fixed.

Ok I understand that is the approach that actually makes sense to take for them as a company. But then what is the user who has this supposed to do while being hacked and asking for some help identifying if this is indeed on their system. I haven't been able to confirm anything yet as it's beyond my skill set but if their engineers were aware of this based on my reporting and they told me I have nothing to worry about but they knew that not to be the case that is really leaving their better customers out to dry and exposed. Once I realized this I tried to ask what they can even disclose and if they would indeed tell me if it hadn't or wasn't able to be patched and no one could even give me an answer. I then realized how big of a problem this sort of closed environment security policy is going to be once really bad malware gets widely distributed via a leak or a team publishing it.

Sure my case I'll assume I'm wrong but that doesn't mean cases like this won't come up and when they do in mass I cannot see apple being able to handle the damage control. I'm actually very interested to see their approach to this issue.

I did learn about remote jailbreaking espionage 0 click malware that is out in the wild and from what I know Apple was able to patch for it in 10 days which I have to say is absolutely unheard of. Maybe they will be able to pull it off. I hope so.

At this point I am going to just start dumping everything I have collected over the past year. I have spent so much time trying to learn this stuff to not waste apples time but I have done everything I can at this point. I have had multiple banks hacked, all emails a few times until I got them all on yubikeys, socials, data and every computer / cloud controlled network gear I now have. Apple has told me all year I have nothing to worry about and yet I told them I clearly do and it turns out I did.

I will say most the stuff I will post I believe is not evidence of anything. Now that I have spent this year learning how this all works I realize it works against me just seeming crazy but even if someone recognizes something malicious in a random place and it helps me get the the end I'll be happy. At this point I have nothing left to lose. The only way I can mitigate it is by removing the airport cards in my laptops and reseting every device and the network. If I connect those laptops to the network at any point it will start up again. And yes I know to just get rid of the laptops... but I'm stubborn and I want to know what this is. I would like an expiation from apple as to how if that is the case why it still happens if I clean install via usb or internet recovery on those devices it will continue to happen.

I will do my best to run any tests you request and I apologize to all the devs that get tired of seeing posts like this. I have tried very hard to just assume I am reading into the wrong things and it's in my head but I no longer can believe that. If someone can help me tighten the scope I can post more granular logs and tests if you are curious. I have experienced everything form a Mikrotik RouterOS evil twinning my router where I got to it's login page at my own routers IP to DNS hijacking, to a cert being installed on my dream machine pro. I confirmed that with amazon who was listed on the ssl cert the day it happened. I run all devices I own on different isolated vlans, have run hypervisors to monitor and talked with every other company from ISP to mobile provider and no one cares or can do anything. I hope one of you will find this interesting if not even entertaining to see how wrong I have been in the past as I learned. Either way I know a lot more then I did about macOS so I don't see it as just time wasted.

Here come the logs and screenshots. Ask and I'll provide you with whatever I have. If you think I'm crazy just hold tight I will be wrong about some stuff but I promise there are things that even you will find interesting.

Sure clean install is booting to external usb that contains a osx installer. On boot clear pram. While booted there diskutil reformat entire drive. View - Show all devices and top physical disk. Shutdown clear pram on boot and boot back to installer usb and install. I've done it across every os going back to maverics on this machine and I have spent a lot of time tryign to deal with it. I know people will think I'm being crazy but I tried as hard as I could to learn how this all works.

See if you have bootbase.efi here /System/Volumes/Data/boot/

Leaving my tower on for a day with bitdefender ultra enterprise endpoint on it on the highest settings.

Update here is the system profile.

https://privatebin.net/?a42b704abcd71a90#A4EVFxAmfxXawrW4odXYfLVRzA2uWfvRf4mrg4Lz77s1

I am not a dev and I probably have destroyed this OS investigating things. I assume there should be some issues but figured it may be a good baseline for the system. Maybe someone will spot something.

Apps I have installed and know. More than half of these were installed to do further diagnostics on the machine. If you haven't seen https://eclecticlight.co/ check it out, there are a lot of really helpful resources and software there.

The Electric Light Company

ArchiChect.app

Cirrus.app

xattred.app

DelightEd.app

Podofyllin.app

Dintch.app

Fintch.app

Metamer.app

PermissionScanner.app

Bailiff.app

Revisionist.app

DeepArchive.app

DeepCopy.app

DeepUnarchive.app

Apfelstrudel.app

Dystextia.app

Alifix.app

UTIutility.app

Nalaprop.app

SearchKey.app

SearchKeyLite.app

Pratique.app

Sandstrip.app

KeychainCheck2.app

Signet.app

Whither 2.app

Whither.app

RouteMap 2.app

RouteMap.app

Mints.app

LockRattler.app

SystHist.app

RepairHomePermissions.app

Taccy.app

Stibium.app

Rectangle.app

Ulbow.app

Precize.app

Consolation3.app

SilentKnight.app

Setapp

Photolemur.app

Luminar Flex.app

PhotoBulk.app

Base.app

ForkLift.app

iThoughtsX.app

Dropzone.app

MacPilot.app

AnyTrans for iOS.app

Commander One.app

Gitfox.app

HoudahSpot.app

Movist Pro.app

TablePlus.app

DevUtils.app

TextSniper.app

Disk Drill.app

SQLPro for SQLite.app

Downie.app

Image2icon.app

Ulysses.app

SQLPro Studio.app

DCommander.app

Automator Apps

Import Folders of Image Files into Library as Albums.app

Export Albums to Folders.app

Import Folders of Image Files into Library as Albums-Version 2 2.app

Import Folders of Image Files into Library as Albums-Version 2.app

Export Albums to Folders-Albums SORTED.app

Create folder based on name.app

Export Albums to Folders-Albums SORTED 2.app

Export Albums to Folders-Albums SORTED2.app

I think this works.app

Flatten Folder Structure.app

Folder Structure to Albums.app

Gather Files To Folder.app

PhotoGrok.app

Android File Transfer.app

AppCleaner.app

TaskExplorer.app

Geekbench 4.app

Sublime Text.app

Geekbench 5.app

App Store.app

Automator.app

Books.app

Calculator.app

Calendar.app

Chess.app

Contacts.app

Dictionary.app

FaceTime.app

Find My.app

Font Book.app

Home.app

Image Capture.app

Launchpad.app

Mail.app

Maps.app

Messages.app

Mission Control.app

Music.app

News.app

Notes.app

Photo Booth.app

Photos.app

Podcasts.app

Preview.app

QuickTime Player.app

Reminders.app

Safari.app

Siri.app

Stickies.app

Stocks.app

System Preferences.app

TextEdit.app

Time Machine.app

TV.app

Voice Memos.app

Disk Drill.app

Transnomino.app

FSMonitor.app

Macs Fan Control.app

BlockBlock Installer.app

TheTimeMachineMechanic.app

iBoysoft NTFS for Mac.app

MySQLWorkbench.app

BBEdit.app

LuLu.app

Adobe Creative Cloud

Adobe Creative Cloud

Uninstall Adobe Creative Cloud

Adobe Photoshop 2021

Adobe Photoshop 2021.app

PortraitProBody Studio.app

4K Stogram.app

JDownloader2.app

Utilities

Activity Monitor.app

AirPort Utility.app

Audio MIDI Setup.app

Bluetooth File Exchange.app

Boot Camp Assistant.app

ColorSync Utility.app

Console.app

Digital Color Meter.app

Disk Utility.app

Grapher.app

Keychain Access.app

Migration Assistant.app

Screenshot.app

Script Editor.app

System Information.app

Terminal.app

VoiceOver Utility.app

Adobe Application Manager

Setapp.app

Google Chrome.app

Microsoft Word.app

Microsoft Excel.app

Microsoft PowerPoint.app

Microsoft OneNote.app

Microsoft Outlook.app

OneDrive.app

Endpoint Security for Mac.app

Bitdefender

SecurityNetworkInstallerApp.app

EndpointSecurityforMacUninstaller.app

This is how my iphone has been partitioned for a long time now. I also have a lot of the same as hidden partitions on my macbook pro. They are persistent across clean installs I just have to manually mount them to see them or use diskutil info -all

Languages switched and I'm not sure if those cookies are normal this happened a long time ago. I believe this was either a chome account being compromised, man in the middle / evil twin of the router or dns hijacking. I have video of how messed up the browser gets, almost like all the frames are crumbling and overlapping. This sort of attack or something like it would happen almost every night at around 2am -4am. My network would go down and different attacks would happen. I'll see if i have videos from then if anyone wants it.

Ok sorry it took me a while to find the pic. I know everything up to this point could easily be nothing or something harmless. I would eventually start to think I had to be just making this up and right when I started to think I was crazy this happened. I was setting up another router and when I went to the IP of the Orbi I was taken to this page. A Mikrotik running RouterOS.

I have unifi everything now and I'v4e monitored the other APs near me and none are from Mikrotik. Never seen one in my life besides this instance and it freaked me out. I had suspected they were using OpenWTR and evil twinning my router back when I just had spectrums but without the right hardware it was hard to do anything. If someone knows what they were attempting with this device please let me know. I assumed it was the device being used for DNS cache poisoning, dns highjacking or it's a botnet.