One feller's views on the state of everyday computer science & its application (and now, OTHER STUFF) who isn't rich enough to shell out for www.myfreakinfirst-andlast-name.com
Using 89% of the same design the blog had in 2001.
FOR ENTERTAINMENT PURPOSES ONLY!!!
Back-up your data and, when you bike,
always wear white.
As an Amazon Associate, I earn from qualifying purchases. Affiliate links in green.
I recently had a process called XProtectRemediatorRedPine eating 95% of one CPU core on my MacBook Air when it wasn't plugged in. That name seemed... strange, and I wondered if it was legit.
Turns out it's probably Apple looking for malware.
With all that background out the way, letโs open up one of the XPR scanners in Binary Ninja and actually see what this looks like. Thereโs no particular reason for choosing RedPine, they all look pretty much the same.
...
Since there are 24 remediators, I wonโt cover them all in detail.
Now this one Iโm not totally confident about, but itโs givinggg TriangleDB from Operation Triangulation5. I wonder where Red Pines grow? ๐ฆ ๐บ๐ธ
The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers.
...
Once the implant launches, it starts communicating with the C2 server, using the Protobuf library for exchanging data. The configuration of the implant contains two servers: the primary and the fallback (contained in the lS and lSf configuration fields).
...
The C2 server responds to heartbeat messages with commands. Commands are transferred as Protobuf messages that have type names starting with CRX. The meaning of these names is obscure: for example, the command listing directories is called CRXShowTables, and changing C2 server addresses is handled by the command CRXConfigureDBServer. In total, the implant we analyzed has 24 commands designed for:
Interacting with the filesystem (creation, modification, exfiltration and removal of files);
Interacting with processes (listing and terminating them);
Dumping the victimโs keychain items, which can be useful for harvesting victim credentials;
Monitoring the victimโs geolocation;
Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory.
By 2021, Apple had decided to replace MRT with something more modern and capable. The first version of XProtect Remediator was installed in macOS Monterey 12.3 on 14 March 2022, and over the following summer it grew to replace MRT, which was last updated on 29 April 2022, and is now no longer installed with macOS although it may still be obtained as an update.
XProtect Remediator (XPR) is installed and updated outside macOS updates, in the XProtect.app bundle in /Library/Apple/System/Library/CoreServices, in macOS 10.15 Catalina and later. It contains individual executable scanning modules, one of which covers old malware that MRT dealt with. Its first standalone update on 17 June 2022 brought the total of its named malware scanners to eight, and it has grown steadily ever since to a total of 22 in its current version 122.
...
RedPine, added in 114 on 12 October 2023, believed to cover TriangleDB malware;
I'm not going to suggest that I've given you an exhaustive breakdown on what's happening such that you could elevator speech the important parts to someone else (usually my goal), but I think that's enough of a lead for us to figure it out if we wanted to.
In any event, I think this...
Says the process is likely legit.
("likely" because you could always name your malware after something legit)
Makes me think the "efficiency cores" are very efficient, because otherwise this would've killed my battery.
Though weird that a process looking for in-memory malware would use so much CPU for so long. ๐ค
Eh, kinda interesting. I guess this sort of topic helps explain why my blog makes the big bucks.
Does AirDrop seem to hang when you're sending photos from your iPhone to your Mac? Welp, add "Bringing Devices Together" (I think where you can AirDrop by proximity between two iPhones) to the Apple Fail archives.
After an Apple Support chat session, the agent mentioned something about "bringing the devices together" - I think they assumed the transfer was between 2 iOS devices.
iOS device > General > AirDrop > Bringing Devices Together
I believe it is on by default when upgrading to whichever iOS release contained NameDrop. I manually & specifically turned OFF the setting because of recent "security" articles about the new NameDrop capability
I had this setting turned ON, specifically because I did a contact transfer a week or 2 ago. And accidentally left it on.
Toggling it off, retrying the AirDrop, and it worked.
Seriously, who is in charge of QA/QC at Apple? How is sending photos from an iPhone to a Mac not on your integration test list?
EDRM doesn't seem to have Enron any more (see below), but it does have its EDRM Public Micro Dataset, which contains "4 email boxes with shared correspondence, threads and attachments" (and a lot more that's not email, but you have to grab the whole zip).
Prior versions of the dataset are no longer being distributed. If you are using the March 2, 2004 Version; the August 21, 2009 Version; or the April 2, 2011 Version of this dataset for your work, you are requested to replace it with the newer version of the dataset below, or make the the appropriate changes to your local copy.
Okay, they say they don't have everyone either, though I found a few at LoC that were not at Carnegie Mellon...
The dataset here does not include attachments, and some messages have been deleted "as part of a redaction effort due to requests from affected employees". Invalid email addresses were converted to something of the form user@enron.com whenever possible (i.e., recipient is specified in some parse-able format like "Doe, John" or "Mary K. Smith") and to no_address@enron.com when no recipient was specified."
I used a Henge Dock for my old Intel MacBook and, other than some scratches on about 40% of the outside of the laptop's cover, surprisingly really liked it. It was a real space-saver for the desk. Though I'd rather have had the laptop screen available in addition to the external monitor, I didn't use it that often at the desk, and the dock was a great compromise.
Fast-forward a bit to me buying an M1 MacBook Air. I've been jealously eyeing the new-ish Brydge Vertical Dock since the M1 design was still housing Intel processors. Brydge apparently bought out Henge, and they're doing slightly fancier versions of the same sort of clamshell docks, but, um, wow did it get expensive!
Good things come to those who wait for the price to drop, and I recently bagged one on Amazon for the M1 for around $30, down from a height of $275!!!
But that's not why you're here. You're here because you might've done the same and you want to know why you can't get your MacBook to display to an external monitor. You've plugged in a keyboard and/or mouse, slammed shift and the mouse buttons, and nothing. Is your HDMI cord bad? Is the Mac still asleep? Is there a setting that you needed to set?
NO!! It's so much simpler!!! You have to have it plugged into a power supply!!
Or, more to the point, clamshell mode doesn't work when the MacBook is on battery power.
Why not when it'll run for 5-8 hours on the battery? And how useful would it be to be able to test that the dock is working before setting up a power supply behind the desk? Very. Or maybe you just want to use the paltry two USB-C ports for something other than power or a dock with power pass-through. TOO BAD!
I have no idea why clamshell on battery doesn't work and isn't, afaict, even a setting. But it doesn't.
I've done this twice now after not using the Brydge for a few months in between. /sigh (Told you using the MacBook with the external monitor is rare.)
The postings on this site are [usually] my own and do not necessarily reflect the views of any employer, past or present, or other entity. About Our Author
