EFI Malware - DNS Hijacking

Also I will note that extraordinary proof of this sort of malware is nearly impossible. I agree I need to provide something that is verifiably malicious and not only that but very rare in its behavior. I've asked many times for what that may look like as I know based on security research what that evidence looks like but it isn't something I understand at that level.

The easy things I've been able to verify and have evidence of that I understand is a microtik router running routerOS somehow evil twinning a router almost instantly after setup. The risk is as follows

Next, the hacker would use ARP spoofing to restructure the network internally. ARP, or address resolution protocol, is used by devices on a network to associate the MAC address of a device with an IP address on the network. Bettercap will send out ARP messages telling all devices on the network that the mikrotic running routerOS is the router. This allows the hacker to intercept all network traffic bound for the router.

Once all traffic is re-routed through the hacker’s computer, the hacker can run Bettercap’s DNS spoofing module. This will look for any requests to a targeted domain, and send a fake reply back to the victim. The fake request contains the IP address of the hacker’s computer, redirecting any request to the target website to the phishing page hosted by the hacker.

Not sure if this is just a beakdown over time or if the permissions are being set this way. This is the results of a permission scanner https://eclecticlight.co/tag/permissionscanner/

This email I found a run of the mill ransom email and the account is pretty much under brute force all the time. I've regained access and it wasn't an account i use often. I am well aware of how widespread this extortion scam is it just was funny timing or it may be a legitimate one. I didn't see the email until after it was time to pay. I couldn't send an email to him either as he somehow created it in my inbox without a from address.

My theory here is the efi on my machine is supposed to be updated and checked during the install process. The computer actually hides a partition or it is being enforced by a policy / config and that is the ramdisk used to install the OS. Even if I boot to external USB installer it will appear like I am booted to it but I'm not actually. Erasing the drive doesn't get rid of it either. I have some of the install logs that I pulled up while it's being installed and it shows there whats going on. It probably isn't malicious but I had a hard time figuring out how stuff was persistent across clean installs.

Does anyone know what this is. I know what the program is now but one day it opened up on my computer like this. I must have been installed with xcode cli because I use homebrew from time to time. I wasn't sure if that always happened since I believe this occurred when it was still in beta and not publicly out.

I will mention the way this all started is that my computer wouldn't go to sleep and I couldn't change any of the network settings. This is what forced me to realize that something was able to persist through clean installs. Every time I would clean install i still couldn't change anything on the network settings with how little I knew back then. All I knew was that they were locked in except for a few times I was able to break it by using a new location I believe. Either way this is what I explored and reported to Apple and told them it had to be some sort of system / enterprise mdm/dep config or somehow it was bootstrapping the config and getting the files from somewhere. I originally thought it was some sort of remote boot or bootstrap but I now just think it's the hidden partitions on the drive. Apple hasn't told me anything other then I have nothing to worry about.

I'm not 100% sure if this is the correct file but if it isn't the file that the system looks to to setup the IPConfiguration please let me know where I can find it and I'll post it.

Tried to look into certs and strange stuff there but Apple couldn't tell me what "com.apple.iAdIDRecords" is or what to do about it. They are there on clean install without logging into any icloud account or apple account.

[Image Edited by Moderator to Remove Personal Information]

Please don't get on me about personal data in the pics,.I apologize if it's against the rules but you need to understand I haven't been able to keep personal info on any of my macs for a year now. I've had 4 emails hacked, 2 bank accounts they somehow got the card info, Im under a 10+ phishing email campaign daily on every email and I have to Vlan every device to keep everything Isolated on the network. I also have to replace my debit card monthly because something is triggering something on my banks system that my info is being leaked from somewhere but they can't disclose where. If I run a scan on my info on haveibeenpwnd my info from all emails, mostly older data is dumped weekly.

I have mfa using 2 Titan keys for all accounts I care about and have pulled all data down to drives on another network when I first saw this stuff going on. I use my computers with the understanding I could care less if anyone watches or steals anything

I'm also not really expecting anyone to help either. Based on the brief convo I had with rickmark he said it's nearly impossible to identify even for people who do this for a living. I will eventually call the FBI turn the devices over to them, request all my tickets from Apple and if the FBI confirms what I can't and I provided Apple with the info they needed and they chose to lie to me then I take issue with that in a big way. I understand their companies security takes priority over what I report but they only have ever told me I'm fine or simply they don't reply.

I don't expect anyone to want to help or know how to and thats fine. I'm really just posting here as a very long shot someone may see something they know. I do think Apples support is bad in how it's setup because they expect me to know what to submit to them. I can verify things are not working normally but there is a huge step between knowing and testing if something is operating properly and being able to submit to them the correct info that is causing the behavior.

Essentially they just ask you to submit whatever it is and will not talk to you about what they need or may not need. So I just do my my best to learn as much as possible and provide them with everything that may be of use. but I am only giving it my best working theory at the time. From that point on I don't hear back from anyone ever.

I've tried it where I just ask 1 question to keep it easy to respond but I find even doing that it gets escalated and I don't get a response. An example of an easy question - "Is my apple account a dev account or not?" I got 2 answers back from different departments, one yes and one no. It took 4 weeks to get an actual answer. I then asked if they knew if in beta still apps like Simulator and CoreML would be installed if I installed just the Xcode cli for homebrew because I would find these apps running on my machine. I was just trying to close a door so I could stop looking in that direction and just rule it out. They couldn't answer that question and they just said we don't know sorry.

I only was asking because no one could tell my what I have an OTA update log I didn't initiate in anyway similar to the one here https://discussions.apple.com/thread/251237148 and no one could tell me why it was doing this sort of stuff

patchd: Will install personalized content to preboot


patchd: patchd_set_paths_from_scratch(702): scratch_path=/System/Volumes/Data/private/tmp/tmp-mount-p3fZC7/softwareupdate.224.6YfodK/
patchd: patchd_set_paths_from_scratch(703): package_path=/System/Volumes/Data/private/tmp/tmp-mount-p3fZC7/softwareupdate.224.6YfodK/source/
patchd: patchd_set_paths_from_scratch(704): rootA_path=/mnt1/
patchd: patchd_set_paths_from_scratch(705): rootB_path=/System/Volumes/Data/private/tmp/tmp-mount-p3fZC7/softwareupdate.224.6YfodK/target/root/
patchd: patchd_set_paths_from_scratch(706): payload_path=/System/Volumes/Data/private/tmp/tmp-mount-p3fZC7/softwareupdate.224.6YfodK/source/payloadv2/
patchd: patchd_set_paths_from_scratch(707): boot_path=/System/Volumes/Data/private/tmp/tmp-mount-p3fZC7/softwareupdate.224.6YfodK/source/boot/
patchd: patchd_macos_block_invoke_6(797): Update plist loaded (context initialized).
patchd: patchd_macos_set_bless_to_fail_back(575): No fail back info set.
[05:33:30.0897-GMT]{3>6} CHECKPOINT END: PATCHD:[0x051F] patchd_macos_load_update_plist
ota-step-ids = {}
executing /usr/sbin/nvram ramrod-nvram-sequence=10

 

I don't even bother worrying about it anymore because there's nothing I can actually do or anyone that can really help so it's whatever. I learned a lot but not enough to really know more then stuff is still going wrong in strange ways.

As it stands now here are a few questions / errors that no one seems to be able to explain. If you want me to demo these things lemme know I'd be more then happy to troubleshoot it or try your suggestions.

• Computer cannot user internet recovery at all. -3001D or -3001F errors and there is no documentation other then "network issue" that I could find. Doesn't matter how I try to do it on any network it doesn't work and stopped working 8 months ago about.

• I have an identical log as this on my machine that I found on rickmarks github and he just has it titled "Malicious Internet Recovery" My log has the exact massive block of errors that say

Jun 23 02:25:26 MacBook-Air osinstallersetupd[610]: IFJS: Package Authoring Error: access to path "/tmp/com.apple.pkg.testing" requires <options allow-external-scripts='true'>
	Jun 23 02:25:26 MacBook-Air osinstallersetupd[610]: IFJS: Package Authoring Error: access to path "/tmp/com.apple.pkg.testing" requires <options allow-external-scripts='true'>
	Jun 23 02:25:26 MacBook-Air osinstallersetupd[610]: IFJS: Package Authoring Error: access to path "/tmp/com.apple.pkg.testing" requires <options allow-external-scripts='true'>
	Jun 23 02:25:26 MacBook-Air osinstallersetupd[610]: IFJS: Package Authoring Error: access to path "/tmp/com.apple.pkg.testing" requires <options allow-external-scripts='true'>
	Jun 23 02:25:26 MacBook-Air osinstallersetupd[610]: IFJS: Package Authoring Error: access to path "/tmp/com.apple.pkg.testing" requires <options allow-external-scripts='true'>
	Jun 23 02:25:26 MacBook-Air osinstallersetupd[610]: IFJS: Package Authoring Error: access to path "/tmp/com.apple.pkg.testing" requires <options allow-external-scripts='true'>
	Jun 23 02:25:26 MacBook-Air osinstallersetupd[610]: IFJS: Package Authoring Error: access to path "/tmp/com.apple.pkg.testing" requires <options allow-external-scripts='true'>
	Jun 23 02:25:26 MacBook-Air osinstallersetupd[610]: IFJS: Package Authoring Error: access to path "/tmp/com.apple.pkg.testing"

source: https://gist.github.com/rickmark/ab067932470223a9f55d533a90f9614a

I don't expect an answer but thats where I left it and gave up.