Factory reset macmini M1 2020 is not like the others

Following on my initial enquiry much has come to light. The Macs have indeed been tampered with. I am unable to post external links to the report so here are a few things worth mentioning. Still, Stealth Developer Mode is now authenticated as currently active.

Lockdown is circumvented by using a BlastDoor passthrough. iMessage, FaceTime and Messages/SMS are then activated and misused. The Mac is forced into developer mode. The 'factory reset' is a waste of time because the attackers employ a number of reinstall 'exceptions' and skipping of various disks for deletion, thus nullifying the objective of a fresh install (reinstalling from macOS on an external drive). It does not actually fully remove all data from the system.

Information for apps and processes are located in shared memory with a seed number that is deemed as still valid. The system then uses that cached information.

The attackers use developer mode to operate between demo, development, production and unknown. With developer mode force enabled, softwareupdated is able to download a 10.15 version of XProtect.app, its plist and the MRT.app. It is then installed by PackageKit.

User settings are overridden by stealth, such as Bluetooth, WiFi, Auto Unlock, Handoff, Instant Hotspot, AirDrop, FindMy, Continuity and Location. Firewall settings and TrustedPeers are tampered with. PSC-tombs are resurrected.

There are a lot of things that are simulated:

locationd: [com.apple.locationd.Core:Simulation] {"msg":"Do we have a listener?", "listtner":"<NSXPCListener: 0x******cc0> service: com.apple.locationd.simulation"}
ContextStoreAgent: (CoreDuet) Simulating crash. Reason: <private>
SoftwareUpdateNotificationManager: (SoftwareUpdateCoreSupport) [com.apple.su:SU] [SIMULATE] DISPATCH: created simulate dispatch queue domain(com.apple.su.core.simulate)

Developer Attestation Certificates are present.

identityservicesd: (DeviceIdentity) Returning cached certificates:
* <cert(0x*******70) s: xxxxx redacted xxxxx i: Basic Attestation User Sub CA1>
* <cert(0x*******f0) s: Basic Attestation User Sub CA1 i: Basic Attestation User Root CA>

Also fake Apple certificates:

TEST UCRT ATTESTATION ROOT CA10U
TEST UCRT ATTESTATION ROOT CA10U
Basic Attestation User Root CA10U
Fake Apple Inc.10UFake US0
Fake Apple DDI Secure Boot Root CA - G110U
Fake Apple Extra Content Global Root CA - G110U
0d1705U.img4 test secp256r1 Root Certificate Authority10U
0d1705U.img4 test secp384r1 Root Certificate Authority10U
Apple, Inc.1/0-U&Local rsa4K Root Certificate Authority0

The Macs now dual-boot iOS on the M1 Mac. They're also running a modified version of QEMU and has a AppleQEMUGuestAgent with loose permissions. Many other scripts and virtual OS are employed.

triald is a little-publicy spoken about identity is shrouded in mystery. However, triald has a very active existence on our devices. Used by Siri, knowledge-agent and dasd, triald downloads an interesting array of 'treatments', 'experiments' and 'factors' which appear to be used in a variety of ways. From what I have seen, various Siri related actions are downloaded by triald. These then appear to be used to load the developer experiments and changes onto the Apple iOS device. triald is not the only one implementing experiments, so does geod.

There is much more to this still exploit than can be covered in one post, and its across all Apple OS. Sadly, nothing yet will fix this, but at least research is in progress now that a sizeable affect has been identified.

Hi, I really appreciate the replies, however, I am not an idiot and I don't understand why the snarky replies?

I uploaded the executable file contained within the MacOS folder of the Contents of the app.

According to the results, when the Calendar app was executed it 'dropped' a RemoteConfiguration.plist and a CFNetworkDownload_v2RgCz.tmp file, amongst other things.

CVE-2019-12259 and CVE-2019-12265 were identified.

Hidden in the files on both my Macs are makefiles and a folder Berkeley DB, which is created with VxWorks.

I understand that many of the things I have noted, exist on Macs, but that doesn't mean that they haven't been manipulated to do something else, which is also the definition of an exploit.

Wanting to understand why my computer is performing processes that haven't been asked of it, particularly when they are concerning things like remote management is not a bad thing, and I do understand there is a line, over which every sniffle becomes (unreasonably) questioned by a user as 'hacked', which a source of annoyance by regular users of the forum here and understandable. I think my questions are legitimate.

I am following up for anyone also looking into these logs on their device. I discovered it is exploit CVE-2022-46689 which has been used to gain root privileges to my MacBook Pro, Mac Mini, iPhone and all our iPads (and wifi, security camera access). This exploit will allow someone to silently control your devices and modify your apps all whilst sending your data to its servers. It has been active for a long time and uses discovery mode to seek out other devices, therefore, is high risk. Unfortunately, the problem persists regardless of patches/updates and re-installs.

My scan of the executable file within the Calculator.app was tagged by Total Virus and OSX Sandbox as matching two 2019 CVE exploits. Wasn't sure if external links were allowed so haven't posted a link.

I have only used Time Machine a few times just after I bought it and then didn't need it so I turned it off, that was 11 months ago and I didn't save the backups.

I ran Malwarebytes about 4 reinstalls ago because I was getting desperate and it seemed generally accepted here if you *had* to do something that was the better option but it showed nothing. I also tried Etrecheck which showed my apps I downloaded from the AppStore, were not, and there was nearly 500 Apple apps on the system, 4 were not even able to run on the M1.

When I erase the hard drive (it won't left me touch the system snapshot/image which is mounted). So I have no idea how I can get rid of this.

Even when I run commands as root to delete folders that I know for sure have nothing to do with the latest Apple - I am unable to delete them.

Of the many issues the ones of most concern are that it looks as though its under the control of someone else, and firewall/steath is being disabled and control centre being added. I change it and it just goes back once the window is closed. Even if the options show one thing, System Report says different.

I am running in lockdown mode. No idea if it makes a difference or not.

As a side note, I would think these things below would not be relevant to a non business user using a standard install of Ventura on a MacBook Pro 2021 and Mac mini 2020 purchased directly from Apple is:

SMBRID opendirectoryd: [com.apple.opendirectoryd:session] dsAttrTypeStandard:SMBRID

AltSecurityIdentities opendirectoryd: [com.apple.opendirectoryd:session] dsAttrTypeStandard:AltSecurityIdentities

Smart Card ctkahp: [com.apple.CryptoTokenKit:AHP] Invoking SmartCard agent for uid 501

Open Directory sudo: (CFOpenDirectory) Open a given node & opendirectoryd: (PlistFile) [com.apple.opendirectoryd:session] found via filename '<private>'

Multipeer kernel: (IO80211Family) com.apple.p2p

kernel (InvalidateHmac) Finished SIO HMAC invalidation.

Credential Manager

AppleCredentialManagerDaemon: ACMTRM-D: -[TransportRestrictedModeService entryPoint_onDaemonStarted]: acmd started, handing control over to kext (TRM allowed by ManagedConfiguration: YES, disabled by AppleSetup: NO).

kernel: (AppleCredentialManager) ACMTRM: init: called, starting TRM service.; kernel: (AppleCredentialManager)

AppleCredentialManager: startImpl: will join SEPManager's PM tree in getSEPEndpoint().

Managed Client launchd: [system:] Service "com.apple.ManagedClient.startup" tried to register for endpoint "com.apple.ManagedClient.agent" already registered by owner: com.apple.ManagedClient

WindowServer

WindowServer: (SkyLight) [com.apple.SkyLight:default] Server is starting up

WindowServer: (SkyLight) [com.apple.SkyLight:default] Session 257; WS port 14603, launchd-launched workspace/session manager

Early Boot

kernel: (Sandbox) Sandbox apply: auearlyboot[11] <bytes>

kernel: (Sandbox) Sandbox: auearlyboot(11) allow iokit-get-properties iokit-class:IOService property:aud-early-boot-critical

kernel: (AppleInputDeviceSupport) Unserializing payload with 2314220 bytes

Hi MrHoffman, *grin, yes I’ve seen the three volume books is highly recommended around here, but has it been updated since the mid 2000’s I wonder.

Thanks for your reply, yes digital forensics wouldn’t come cheap I’m sure. I guess that’s why us little people resort to the community forums :)

I ended up installing Little Snitch.

My internet IP address is connected via UDP on port 68 Bootstrap Protocol (BOOTP) client - not listed on TCP and UDP ports used by Apple software products – Apple Support (AU) 

and also another connection by netbiosd on port 137 Windows Internet Naming Service (WINS) - odd because I have WINS disabled on my new router modem. 

Does my machine think it’s an OS X Server, I wonder? The presence and actions of AFP, SMB, POSIX, XSAN (that would explain rapportd connecting on port 49152), ASR (Apple Software Restore), (TFTP Trivial File Transfer Protocol).

Is there a way of knowing where the boot image is being loaded from? There are NetBoot files on here as well.

Other things: 

SMB/CIFS

PPPController

From logs:

opendirectoryd modifying a record for a CIFServer

NotificationCentre: [com.apple.unc:application] Found system centre _SYSTEM_CENTER_:com.apple.mdmclient (also say I’m running mdmclient on user 501/ - me)

wifianalytics (Security) Recording an MDS plugin /System/Library/Security/ldapdl.bundle

CommCentre (Security) Recording an MDS plugin /System/Library/Frameworks/Security.frame

containermanagerd creating a new POSIX user, name = [root] dir: /private/var/root (also created a lot of others)

It’s very frustrating I can’t get rid of whatever it is, everything was bought new from Apple directly and I’m not sloppy installing just anything. I can’t pin it to anything but my Mac mini and MacBook Pro are not operating standard.

Following up with more information on this issue as it’s still unresolved, but at least I have an idea of what is going on now (and that something is actually awry).

Some issues identified so far:

1. Developer mode has been enabled without a valid developer ID (I’m not a developer)
2. Modification of the boot process that removes users ability to choose which operating system to boot into (I didn’t set up two!)
3. HMAC invalidation has been disabled
4. The use of a fake key for AppleSEPStore
5. SMMachine (system management) interference
6. arm64e_plugin_host process running various binaries (bash, login, zsh, sudo) in keys off mode due to their identities. Code signature validation is being skipped because they’ve been modified or are not signed with a valid certificate
7. Potential compromise of iPhones and iPads by Mac Mini and MacbookPro, AppleImage4 sysctl hook, a security measure of iOS devices suggests the Macs have interacted with them and logs on all devices further suggest data communication between the two (meant to be disabled) as well as many security violations
8. ANECompilerService active in security processes, issue with root certificate or verification.

There is also evidence data is being sent to a server.

The Mac machines are unable to be physically accessed which suggests remote access through any number of security holes which have been active. Security updates haven’t solved anything nor has rebooting, as there have been modifications made.

I have idea where to from here though. Over six thousand dollars worth of Apple products between the devices and Apple don’t want to dive any deeper than a reset which solves nothing.

I’m a very sad insignificant little panda to the world, but in my world this has affected my family and I greatly.

Thank you everyone for your input. While I have no idea what is going on, like why Google thinks I am seeking verification from a OS X 10.5.2 computer, why after a complete proper reinstall at the Apple Store an M1 Mac wants to boot Leopard, try install High Sierra (as well as High Sierra Beta, El Capitan, Mojave and Catalina), install command line tools or even what device is not internal when nothing is plugged in but power. Lastly, I will never know what " fileproviderd: (UserManagement) (501) Cached personaVocuherDictionary " is and why it is misspelled and failed a bazillion times.

On the upside, I did find Little Snitch, who has denied over 600k connects to my computer in less than 24 hours. I also discovered the Apple Buddy family, RTBuddy & RTBuddyV2 (regulars will know him already) AMPMacBuddy, purplebuddy, buddyOffers, PastBuddy and little _miniBuddy. But best of all I got a compliment from MisterHoffman, which is pretty cool because they know a lot.

I think I am all reinstalled-out now and will slink back to the Apple Store in shame with my Mac mini which I inadvertently killed my attempts. Thank you again to everyone for the replies, I appreciate it and I will try and put the logs away now and move on with life, at least I have Mr Snitch now.

2023-04-13 17:17:15.485219-0700 0x17d8     Default     0x57a4               297    30   softwareupdated: (SoftwareUpdate) [com.apple.SoftwareUpdate:SoftwareUpdate] Product Evaluation: 002-41708 (002-41708.English.dist): Volume check failed: Error Domain=PKDistributionError Code=106 "Command Line Tools for Xcode can’t be installed on “Macintosh HD” because the version of macOS is too new." UserInfo={NSLocalizedDescription=Command Line Tools for Xcode can’t be installed on “Macintosh HD” because the version of macOS is too new.}

2023-04-13 17:17:03.867473-0700 0x13c4     Info        0x0                  495    0    transparencyd: (CloudKit) [com.apple.cloudkit:CK] Device is NOT an AppleInternal install

2023-04-13 17:17:15.821176-0700 0x17d8     Default     0x57a4               297    30   softwareupdated: (SoftwareUpdate) [com.apple.SoftwareUpdate:SoftwareUpdate] Product Evaluation: zzz061-10035 (061-10035.English.dist): Installation check failed: Error Domain=PKDistributionError Code=102 "ERROR_BOOT_LEOPARD" UserInfo={type=Fatal, message=ERROR_BOOT_LEOPARD, NSLocalizedDescription=ERROR_BOOT_LEOPARD}

2023-04-13 17:17:53.622913-0700 0x1ca5     Default     0x0                  297    30   softwareupdated: (SoftwareUpdate) [com.apple.SoftwareUpdate:SoftwareUpdate] Product Evaluation: 041-91758 (041-91758.English.dist): Installation check failed: Error Domain=PKDistributionError Code=102 "macOS High Sierra can’t be installed on this computer." UserInfo={NSLocalizedDescription=macOS High Sierra can’t be installed on this computer., NSUnderlyingError=0x136b31960 {Error Domain=PKDistributionException Code=0 "TypeError: null is not an object (evaluating 'cpuFeatures.split') at x-distribution:///installer-gui-script%5B1%5D/installation-check%5B1%5D/@script" UserInfo={NSLocalizedDescription=TypeError: null is not an object (evaluating 'cpuFeatures.split') at x-distribution:///installer-gui-script%5B1%5D/installation-check%5B1%5D/@script}}}

MrHoffman wrote:

There is no need to have a Developer ID to enable Developer mode.

It is not typical for developer mode to be “forced on” without the developer mode toggle being activated though.

kernel: (AppleMobileFileIntegrity) AMFI: developer mode is force enabled on this platform

Nor should there be TestFlight and Xcode app activity when neither app is even installed on the Mac or iOS device. Beta versions of applications can’t randomly appear without them which suggests they are being loaded some alternative way as it is my understanding the regular AppStore does not carry beta versions. Even ‘SpringBoard’ is a beta version.

MrHoffman wrote:

There are always data communications with servers whenever iPhone is connected to a network, as an iPhone is a so-called client device.

This is true, but macOS should not be sending FaceTime messages when a) it’s not active (ie toggled off in all relevant places) and b) it is in lockdown mode.

imagent: (FaceTime) [com.apple. Messages :FaceTimePushHandler] Accepting Incoming pushes

launchd: [pid/425/com.apple. FaceTime.FTConversationService [503]:] service state: running

com.apple.FaceTime.FTConversationService: [com.apple. FaceTime:FTConversationService] Asked to accept connection <private>

com.apple.FaceTime.FTConversationService: [com.apple. FaceTime:FTConversationService] Entitlement found; accepting connection <private>

callservicesd: (TelephonyUtilities) [com.apple.calls.telephonyutilities:Default] Cloud calling devices changed

callservicesd: (TelephonyUtilities) [com.apple.calls.telephonyutilities:Default] FaceTime availability changed from (audio=0 video=0) to (audio=1 video=1)

identityservicesd: (FTServices) [com.apple.IDS:FaceTime] Created URL Request: ‹private> from URL: <private>

identityservicesd: (FTServices) [com.apple.IDS:FaceTime] Sent outgoing message: <private> to command: (Request 1D: <private> Connection: <private>)

Similarly, rapportd should not be directly connecting from the Mac to other devices (an iPad in this case) on the same network when all relevant settings have been turned off.

rapportd: (CoreUtils) [com.apple.CoreUtils:AsyncCnx] CLinkCnx-1: Connected to [xxxx:xxxx:ed27:1::4]:58219 (Reach=0.00 ms, SRV=0.00 ms, DNS=0.00 ms, Connect=5.58 ms, Total=112.65 ms)

I just had another look at the log snippets I posted:

kernel: initialized XNU provisioning profile data

This indicates that the kernel has processed XNU provisioning profiles specifically related to kernel extensions/kexts, my understanding is they are deprecated for developer content.

No matter what I do I can’t resolve it, whoever it is has gone to a lot of effort. The list gets longer each day as I discover more. I’m disappointed the latest update didn’t help. I honestly don’t know what to do.