I am having what I believe to be a malware issue that is persisting between Configurator restores. I've tried to explain to the Apple Store and to support on the phone but I'm not getting anywhere. I come from a Linux background but I am new to MacOS and I fear I know just enough to see that there is a problem without being able to properly articulate what the issue is. I was recently hacked in a pretty bad way that took down my personal network of about 10 nodes and I'm trying to recover from it but I can't seem to get the MacBooks cleaned no matter what I do.
I think? what is happening is that the SSV is somehow compromised and persisting through Configurator restores. I keep finding language input files in /var/root/Library/Daemon Container. Normally this wouldn't be all that odd but they're the only input language files that are in there. I also see them running here:
loginwind 1152 daksani txt REG 1,13 20236 1152921500312187653 /System/Library/Input Methods/JapaneseIM-KanaTyping.app/Contents/PlugIns/JapaneseIM-KanaTyping.appex/Contents/Resources/InfoPlist.loctable
loginwind 1152 daksani txt REG 1,13 17587 1152921500312188111 /System/Library/Input Methods/KoreanIM.app/Contents/PlugIns/KIM_Extension.appex/Contents/Resources/InfoPlist.loctable
loginwind 1152 daksani txt REG 1,13 9170 1152921500312189417 /System/Library/Input Methods/VietnameseIM.app/Contents/PlugIns/VIM_Extension.appex/Contents/Resources/InfoPlist.loctable
These appear to be VIM and KIM extensions and yet I'm very particular about not using VIM as I use nano.
The system also appears to be using a very large amount of RAM when IDLE. While I have downloaded some applications, 25Gb of ram usage seems excessive for 2 tabs on safari and 2 windows of iterm2. I ran etrecheck pro and found the following:
Top Processes Snapshot by Memory:
Process (count) RAM usage (Source - Location)
com.apple.WebKit.WebContent (7) 2.34 GB (Apple)
EtreCheckPro 1.42 GB (Etresoft, Inc.)
iTerm2 957 MB (GEORGE NACHMAN)
MTLCompilerService (31) 689 MB (Apple)
mediaanalysisd 663 MB (Apple)
MTLCompilerService seems out of place unless it's linked to Apple Intelligence? This is fresh from Configurator run from a couple of hours ago today and I haven't downloaded any development tools like WebKit or MTL, etc. I'm not really even sure what most of these are outside of iterm2 and etrecheck. I also found something called 'Sharing 5' unsigned that I'm also not sure of:
Top Processes Snapshot by Energy Use:
Process (count) Energy (0-100) (Source - Location)
WindowServer 13 (Apple)
Sharing 5 (Not signed)
RTProtectionDaemon 4 (Malwarebytes Corporation)
iconservicesagent (2) 2 (Apple)
iTerm2 2 (GEORGE NACHMAN)
Here's the full Etre Report.
justpaste.it
If anyone can help with removal or at least how to approach this with Apple, I'd be greatly appreciative.
I think? what is happening is that the SSV is somehow compromised and persisting through Configurator restores. I keep finding language input files in /var/root/Library/Daemon Container. Normally this wouldn't be all that odd but they're the only input language files that are in there. I also see them running here:
loginwind 1152 daksani txt REG 1,13 20236 1152921500312187653 /System/Library/Input Methods/JapaneseIM-KanaTyping.app/Contents/PlugIns/JapaneseIM-KanaTyping.appex/Contents/Resources/InfoPlist.loctable
loginwind 1152 daksani txt REG 1,13 17587 1152921500312188111 /System/Library/Input Methods/KoreanIM.app/Contents/PlugIns/KIM_Extension.appex/Contents/Resources/InfoPlist.loctable
loginwind 1152 daksani txt REG 1,13 9170 1152921500312189417 /System/Library/Input Methods/VietnameseIM.app/Contents/PlugIns/VIM_Extension.appex/Contents/Resources/InfoPlist.loctable
These appear to be VIM and KIM extensions and yet I'm very particular about not using VIM as I use nano.
The system also appears to be using a very large amount of RAM when IDLE. While I have downloaded some applications, 25Gb of ram usage seems excessive for 2 tabs on safari and 2 windows of iterm2. I ran etrecheck pro and found the following:
Top Processes Snapshot by Memory:
Process (count) RAM usage (Source - Location)
com.apple.WebKit.WebContent (7) 2.34 GB (Apple)
EtreCheckPro 1.42 GB (Etresoft, Inc.)
iTerm2 957 MB (GEORGE NACHMAN)
MTLCompilerService (31) 689 MB (Apple)
mediaanalysisd 663 MB (Apple)
MTLCompilerService seems out of place unless it's linked to Apple Intelligence? This is fresh from Configurator run from a couple of hours ago today and I haven't downloaded any development tools like WebKit or MTL, etc. I'm not really even sure what most of these are outside of iterm2 and etrecheck. I also found something called 'Sharing 5' unsigned that I'm also not sure of:
Top Processes Snapshot by Energy Use:
Process (count) Energy (0-100) (Source - Location)
WindowServer 13 (Apple)
Sharing 5 (Not signed)
RTProtectionDaemon 4 (Malwarebytes Corporation)
iconservicesagent (2) 2 (Apple)
iTerm2 2 (GEORGE NACHMAN)
Here's the full Etre Report.
Unremovable MacOS Malware Report
If anyone can help with removal or at least how to approach this with Apple, I'd be greatly appreciative.