Requesting assistance for how to find/remove trojan stealer malware - buckle up

Hi all.


Problem: I'm convinced I have an incredibly well-written trojan stealer installed. I'm seeking what steps I should take to prevent it from being installed, including if there are things I should remove from preboot vols.


Summary: etresoft reports nothing is wrong other than my basic install takes quite a bit of time to resolve.


Mdm executables including Classroom/studentd and other remotemanagement processes are persistent in my Activity Monitor, and my launchd logs, and are fully polluting logs by doing lovely things within frequently uncorked containers. I am not too proud to admit it could be something I installed, or left open and vulnerable, or any other self-accountability, so please do try to withhold responses that include snark about my own doing or just my imagination. I accept it likely was me, especially with Docker, although there is a small probability that other software vendors could be responsible.


As you might have guessed, I'm a developer and can dig deep (just not deep enough to know how to help myself to finish), so please let me know what steps I can take to provide more details. And as mentioned, please try to be as specific as possible to avoid more of my unusual verbosity.


Platform info:

  • Hardware/OS: MacBook Pro with MacOS Sequoia on Apple M1 Pro 2021 and Rosetta needed for Docker Desktop, MacBook Pro with MacOS Sequoia on Intel, 2018 (I think), and an iPhone 12 Pro running iOS 18. All are in Lockdown Mode. It happens in standalone or logged in to icloud as they are using my machine ids and seem to be reloading from old backup images they must have taken and stored elsewhere. I've also seen logs of work with NVRAM.
  • My certs appear to have been hijacked, and they are using these to gain access or send remote commands whenever they choose. My user account privs as admin have been reduced, also visible in opendirectory, sudo eventually becomes no longer available to me and returns "4294967295: invalid value".
  • Incidentally, multiple FireTVs, a Samsung smart TV, a Roku smart TV, and a Vizio smart TV each "behave" as though they have also been infected, where each have had interactions with downloading various "apps" through my wife's amazon account. I mention this because bluetooth, OTA, and Netbios have been heavily active with my mDNSResponder on my MacBook Pros, even after I put my iPhone in airplane mode, turn off bt and wireless, shut down my iPhone, and drop it into a faraday-caged box. And for whatever reason, the TVs always have Airplay switched back on with "ask first time only" after I diligently disabled it. I'm speculating here, but somewhere on my LAN, a smart device might be acting as a hidden vpn proxy server and storage for collected data from my MacBook Pros, including having hijacked my dns and dhcp. Then again it could also be my iPhone. Two smart TVs are used as extended monitors via hdmi, and the rest are connected wireless or wired to my home LAN.
  • I've worked through multiple instances of wiping and reinstalling the OS on each Apple product, including multiple visits to the Genius Bar. Also multiple instances of resetting TVs to factory settings, changing passwords, clearing router caches, and modifying router configs for new local network address ranges, etc. The resetting process has always been started by powering everything down and then restarting sequentially until done, and with the TVs, I've always started with zero apps, yet the app storage always seems halfway consumed before any apps are loaded.


Postamble:

If not for having to work and earn a living, I'd dig waaaaayyyy deeper into this than I already have. I'd love some tips from those who have already dealt with this in the past on how to identify which one it could be. I'm no one special that the NSO Group's Pegasus spyware would be worth the expense, but I will say I have a pegasus cache folder with a sqlite3 db containing a "completion_cache_engagement" table inserted with fun summary phrases of stuff I googled, like "what is lightspy", and "address book plug-ins used as cert exploits", and "how to enable firewall logging macOS". And since it didn't keep "ramen near me", I can't see how analyzed entries like these would be wanted for a picture-in-picture configuration tool, so who knows, maybe someone did find me interesting enough, or someone plants this stuff for their own amusement. Either way, I'd love to receive the knowledge to end this.

MacBook Pro (M1, 2020)

Posted on Sep 25, 2024 02:55 PM

Reply
Question marked as Top-ranking reply

Posted on Oct 1, 2024 06:48 AM

I’m going through exactly the same situation.


In my case, I strongly suspect that a hidden MDM profile is implanted in all devices that cannot be detected and removed and can survive the factory reset and the lockdown mode because Remote and Corporate Accounts system services were listed under cellular data usage on my iphone and also studentd service on my macbook even though

all my devices are mine and were brand new when I bought them.


Also, EtreCheck report found a configuration file on my macbook!


Search up “MDM profile iPhone hacking” online for actual instances.


My post in the forum got kept deleted for some reason, so I am posting my case in your reply.


There is a serious security vulnerability on all Apple OS that Apple doesn’t know about! We need to make this a big fuss so that Apple can look into this and do something about it!



Similar questions

1 reply
Question marked as Top-ranking reply

Oct 1, 2024 06:48 AM in response to CapnMuschiBeard

I’m going through exactly the same situation.


In my case, I strongly suspect that a hidden MDM profile is implanted in all devices that cannot be detected and removed and can survive the factory reset and the lockdown mode because Remote and Corporate Accounts system services were listed under cellular data usage on my iphone and also studentd service on my macbook even though

all my devices are mine and were brand new when I bought them.


Also, EtreCheck report found a configuration file on my macbook!


Search up “MDM profile iPhone hacking” online for actual instances.


My post in the forum got kept deleted for some reason, so I am posting my case in your reply.


There is a serious security vulnerability on all Apple OS that Apple doesn’t know about! We need to make this a big fuss so that Apple can look into this and do something about it!



This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Requesting assistance for how to find/remove trojan stealer malware - buckle up

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.