Skip to content

Research about malware that infects the EFI and SMC of Apple MacBooks.

Notifications You must be signed in to change notification settings

rickmark/mojo_thor

Repository files navigation

About

Loki / Thor / Mojo are a triad of Apple internal tools and malware that infects the SMC, EFI and macOS of Apple MacBooks.

It is believed that direct access to the hardware is gained by re-flashing the Thunderbolt controller (via ThorUtil)

Contents

  • T2/T2.md
  • Firmware/INFO.md - information about Thor's firmware and comparison against a "known good". Four SMC encrypted payloads differ: 5CE0F1, 5CECE9, 5CFAB5, 5D1751 and a few submodules.
  • Firmware/INDEX.md - Index of modules and descriptions in the EFI volume.
  • Firmware/bad.fd - The "Thor / Loki" firmware from a known bad laptop
  • notes.md - Notes and rants about various components, not fully finalized or proven.
  • MojoKDP/mojo.kext - The MojoKDP kernel module pulled from a virtual machine kernel memory. Injected by DMA / uDMA
  • MojoKDP/mojo.kext.S - Annotated disassembly
  • ESP/APPLE - the contents of the machines EFI partition. The most interesting of note is in UPDATERS\\TBTH\\ThorUtil
  • logs - Unusual install and system logs from a Thor infected system, much of my interpretation is in notes.md
  • SMC - examples of the Apple *.smc format. See also smcutil

See Also

  • IN PROGRESS:
  • MacBooks now force internet recovery to High Sierra. An effort to patch older EFI and implement eficheck
  • Duo Labs can check your EFI pre 10.13 with EFIgy
  • /usr/libexec/firmwarecheckers/eficheck/eficheck - High Sierra utility to extract and redact your firmware image.
  • macOS defaults to latest firmware and patches, thereby including eficheck Reinstalling macOS changed with 10.12.4
  • CoreBoot for the ifdtool utility code and tools
  • unhuffme tool for decoding the Intel ME regions of the flash. unhuffme

Detection (direct)

  • macOS 10.12 and earlier: Boot into recovery, look for any output from ioreg | grep MojoKDP
  • macOS 10.13 and later (from external / AirGap): sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check
    • Alternate, Use reFINd and BootRomFlash to extract the fimrware and check with eficheck or efivalidate on another machine
    • SUSPECT: Presence of /dev/tty.MALS and /dev/tty.SOC as the serial connection to MojoKDP (previous versions of macOS showed this as two LPSS Serial Adapter connections). SOC is likely a connection to the SMC.

In the press

People I've worked with

  • I brought a sample of the malware to both the Union Square Apple store, and they declined to assist citing customer data.
  • I was unable to reach Apple's product security division (due to the malware likely), and did take the computer directly to their campus. The irony of eficheck now offering to allow you to submit samples is not lost on me. (The original submission number is 671195078)
    • REVISION: I've received acknowledgement after publication of this repo stating that the issue is under investigation

About

Research about malware that infects the EFI and SMC of Apple MacBooks.

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published