Requesting assistance for how to find/remove trojan stealer malware - buckle up
Hi all.
Problem: I'm convinced I have an incredibly well-written trojan stealer installed. I'm seeking what steps I should take to prevent it from being installed, including if there are things I should remove from preboot vols.
Summary: etresoft reports nothing is wrong other than my basic install takes quite a bit of time to resolve.
Mdm executables including Classroom/studentd and other remotemanagement processes are persistent in my Activity Monitor, and my launchd logs, and are fully polluting logs by doing lovely things within frequently uncorked containers. I am not too proud to admit it could be something I installed, or left open and vulnerable, or any other self-accountability, so please do try to withhold responses that include snark about my own doing or just my imagination. I accept it likely was me, especially with Docker, although there is a small probability that other software vendors could be responsible.
As you might have guessed, I'm a developer and can dig deep (just not deep enough to know how to help myself to finish), so please let me know what steps I can take to provide more details. And as mentioned, please try to be as specific as possible to avoid more of my unusual verbosity.
Platform info:
- Hardware/OS: MacBook Pro with MacOS Sequoia on Apple M1 Pro 2021 and Rosetta needed for Docker Desktop, MacBook Pro with MacOS Sequoia on Intel, 2018 (I think), and an iPhone 12 Pro running iOS 18. All are in Lockdown Mode. It happens in standalone or logged in to icloud as they are using my machine ids and seem to be reloading from old backup images they must have taken and stored elsewhere. I've also seen logs of work with NVRAM.
- My certs appear to have been hijacked, and they are using these to gain access or send remote commands whenever they choose. My user account privs as admin have been reduced, also visible in opendirectory, sudo eventually becomes no longer available to me and returns "4294967295: invalid value".
- Incidentally, multiple FireTVs, a Samsung smart TV, a Roku smart TV, and a Vizio smart TV each "behave" as though they have also been infected, where each have had interactions with downloading various "apps" through my wife's amazon account. I mention this because bluetooth, OTA, and Netbios have been heavily active with my mDNSResponder on my MacBook Pros, even after I put my iPhone in airplane mode, turn off bt and wireless, shut down my iPhone, and drop it into a faraday-caged box. And for whatever reason, the TVs always have Airplay switched back on with "ask first time only" after I diligently disabled it. I'm speculating here, but somewhere on my LAN, a smart device might be acting as a hidden vpn proxy server and storage for collected data from my MacBook Pros, including having hijacked my dns and dhcp. Then again it could also be my iPhone. Two smart TVs are used as extended monitors via hdmi, and the rest are connected wireless or wired to my home LAN.
- I've worked through multiple instances of wiping and reinstalling the OS on each Apple product, including multiple visits to the Genius Bar. Also multiple instances of resetting TVs to factory settings, changing passwords, clearing router caches, and modifying router configs for new local network address ranges, etc. The resetting process has always been started by powering everything down and then restarting sequentially until done, and with the TVs, I've always started with zero apps, yet the app storage always seems halfway consumed before any apps are loaded.
Postamble:
If not for having to work and earn a living, I'd dig waaaaayyyy deeper into this than I already have. I'd love some tips from those who have already dealt with this in the past on how to identify which one it could be. I'm no one special that the NSO Group's Pegasus spyware would be worth the expense, but I will say I have a pegasus cache folder with a sqlite3 db containing a "completion_cache_engagement" table inserted with fun summary phrases of stuff I googled, like "what is lightspy", and "address book plug-ins used as cert exploits", and "how to enable firewall logging macOS". And since it didn't keep "ramen near me", I can't see how analyzed entries like these would be wanted for a picture-in-picture configuration tool, so who knows, maybe someone did find me interesting enough, or someone plants this stuff for their own amusement. Either way, I'd love to receive the knowledge to end this.
MacBook Pro (M1, 2020)