Nasty Mac malware advice

[Admiral black]

Please no “reset to factory” canned responses this in regards to a persistent malware that remains after factory reset, reformat, etc. These photos are with no OS installed, they are taken after disk utility has erased the disc from terminal in the recovery environment. Running the command “ls -R these are the files that remain in particular the issue I’m having is the keychain please do not assume that’s a new keychain there’s no OS installed that is not a new keychain you’re seeing a keychain that I’ve had since my original Apple ID an actual ME account and I’m desperately wanting a fresh clean keychain. I cannot shake this monkey loose and it contains Kerberos single signon tokens and rsa keys. These are private devices that have never been managed by choice or used with any enterprise or business. I understand these are legitimate apple processes yet being used nefariously, and I’m looking for some guidance
From folks that know better than to say, it’s not possible on what steps I can take to expunge this from the hard drive. I know there’s an answer out there, so please don’t derail this with nonsense. Thanks in advance!

 

[MBAir2010]

Tjere is always that OCLP thingee!

 

[Admiral black]

What this??

 

[ps866mker]

Are you saying that after erasing disk via command line you are still seeing those files?

sudo diskutil list
sudo diskutil unmountDisk /dev/diskX
sudo dd if=/dev/zero of=/dev/diskX bs=10m
sync

 

[DeltaMac]

None of those pix show anything that is personalized in any way, and nothing that is not a normal part of a default system. If you have wiped the internal drive, then you are simply showing file names from the boot system that Apple uses to boot your Mac from the remote servers, when you boot to internet recovery.

 

[Bigwaff]

From folks that know better than to say, it’s not possible on what steps I can take to expunge this from the hard drive. I know there’s an answer out there, so please don’t derail this with nonsense.

You be trippin’, brah .. and need some schoolin’. I thought this was a pretty good starter -

macOS Recovery Explained - SweetCare

In this guide, we will explain how to use Apple’s powerful macOS Recovery to repair and maintain your Mac. Click here to learn more!

www.sweetwater.com

 

[Admiral black]

How that brah? Any advice on removing a keychain?

 

[Admiral black]

I’m referring to this keychain with the identifiers seen.

 

[Bigwaff]

I’m referring to this keychain with the identifiers seen

Honestly, if one understands how macOS boots the system, and from which media, than given your question, it’s easy to assume you might not understand. Especially since you did not provide any basic info. Info someone who does understand would provide… How are you booting? Recovery partition? Internet Recovery? Bootable USB? What version of macOS is the install?

 

[bogdanw]

Please no “reset to factory” canned responses this in regards to a persistent malware that remains after factory reset, reformat, etc.

There are no cybersecurity experts on this forum to help you with persistent malware.
Contact The Citizen Lab, they specialize in dealing with this kind of attack https://citizenlab.ca

 

[Admiral black]

Honestly, if one understands how macOS boots the system, and from which media, than given your question, it’s easy to assume you might not understand. Especially since you did not provide any basic info. Info someone who does understand would provide… How are you booting? Recovery partition? Internet Recovery? Bootable USB? What version of macOS is the install?

You are correct I don’t understand all the nuances of the boot process hence why I open myself up to folks that prefer to repeat what they hear at a Genius Bar. To answer your question and please educate me I’m attempting to install Mac OS Sonoma into a MacBook. The photos are before any OS is installed. That terminal in the recovery environment after I’ve used disk utility to erase the Mac Hd and Hd data disk. Your thoughts….

 

[DeltaMac]

You probably need more help with actually making a bootable installer for Sonoma.
Looks like you are booted to some system, but it is likely older than Yosemite, as there are multiple references to the obsolete Japanese input system called Kotoeri. That came with mac OS and OS X, but was removed in Yosemite and later. YOU show that you are booted to some system,but it will be the remote system that you get on your Mac when you are booted to the Internet Rcovery system, and not the Sonoma system that you are wanting. That should also explain the references to a keychain that you don't have, Well, of course. those references are not on your Mac, but on the system that Apple provides on their remote server for Internet Recovery system. There's nothing there that should legitimately concern you, assuming that the system works to provide you with internet recovery. You won't get to Sonoma using that method, at least directly. Get yourself a USB bootable installer for Sonoma, if that's what you want.

 

[Bigwaff]

I’m attempting to install Mac OS Sonoma into a MacBook

Which year and model MacBook? an Air? a Pro? There are only a handful of MacBook systems that Sonoma supports. Sonoma won’t install on unsupported systems… unless… (left blank as an exercise and test for the reader).

 

[MacProFCP]

Please no “reset to factory” canned responses this in regards to a persistent malware that remains after factory reset, reformat, etc. These photos are with no OS installed, they are taken after disk utility has erased the disc from terminal in the recovery environment. Running the command “ls -R these are the files that remain in particular the issue I’m having is the keychain please do not assume that’s a new keychain there’s no OS installed that is not a new keychain you’re seeing a keychain that I’ve had since my original Apple ID an actual ME account and I’m desperately wanting a fresh clean keychain. I cannot shake this monkey loose and it contains Kerberos single signon tokens and rsa keys. These are private devices that have never been managed by choice or used with any enterprise or business. I understand these are legitimate apple processes yet being used nefariously, and I’m looking for some guidance
From folks that know better than to say, it’s not possible on what steps I can take to expunge this from the hard drive. I know there’s an answer out there, so please don’t derail this with nonsense. Thanks in advance!

I am not a software guru and can’t say what’s normal or not beyond an educated guess.

However, I suggest you connect via Target Disk Mode and then erase the drive via another computer. At that point, nothing will remain readable. Then reinstall the OS from the second machine.

Should be good as new.

 

[JustAnExpat]

Sadly, we need much more information before we can help you:

1. What machine is this? Is this a MacBook Air 2013, or a MacBook Pro 2015, or...

2. What were the steps you used to get to this screen? Is this from Internet Recovery, or a fresh install, or...?

3. "I cannot shake this monkey loose and it contains Kerberos single signon tokens and rsa keys. " I don't want to belittle you, but do you know what a Kerberos single sign token and RSA keys are, and how they maintain security? If you do, can you give a brief description on what it means, to make sure we understand each other?

If you can't answer these questions, I can't help you.