Put the knife down and take a green herb, dude. (c) Ruffin Bailey 2001-2021

I recently had a process called XProtectRemediatorRedPine eating 95% of one CPU core on my MacBook Air when it wasn't plugged in. That name seemed... strange, and I wondered if it was legit.

Turns out it's probably Apple looking for malware.

The Secrets of XProtectRemediator

Found a blog post called "The Secrets of XProtectRemediator" that has a section called "Reverse Engineering the RedPine Remediator. They apparently picked the Red Pine remediator at random...

With all that background out the way, let’s open up one of the XPR scanners in Binary Ninja and actually see what this looks like. There’s no particular reason for choosing RedPine, they all look pretty much the same.

...

Since there are 24 remediators, I won’t cover them all in detail.

In a results section, they give the "notable results" on Red Pine (and a few others):

Now this one I’m not totally confident about, but it’s givinggg TriangleDB from Operation Triangulation5. I wonder where Red Pines grow? 🦅🇺🇸

What is TriangleDB?

And there's a link included with more on TriangleDB, which is probably the most interesting link in this blog post. Here's a snippet:

The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers.

...

Once the implant launches, it starts communicating with the C2 server, using the Protobuf library for exchanging data. The configuration of the implant contains two servers: the primary and the fallback (contained in the lS and lSf configuration fields).

...

The C2 server responds to heartbeat messages with commands. Commands are transferred as Protobuf messages that have type names starting with CRX. The meaning of these names is obscure: for example, the command listing directories is called CRXShowTables, and changing C2 server addresses is handled by the command CRXConfigureDBServer. In total, the implant we analyzed has 24 commands designed for:

Interacting with the filesystem (creation, modification, exfiltration and removal of files);

Interacting with processes (listing and terminating them);

Dumping the victim’s keychain items, which can be useful for harvesting victim credentials;

Monitoring the victim’s geolocation;

Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory.

[emphais mine -mfn]

Overview/quick history of XProtect

The relationship of Red Pines to TriangleDB is supported by another source titled "The Three XProtects of Christmas". It also gives us a good, quick overview of the XProtect system as a whole.

By 2021, Apple had decided to replace MRT with something more modern and capable. The first version of XProtect Remediator was installed in macOS Monterey 12.3 on 14 March 2022, and over the following summer it grew to replace MRT, which was last updated on 29 April 2022, and is now no longer installed with macOS although it may still be obtained as an update.

XProtect Remediator (XPR) is installed and updated outside macOS updates, in the XProtect.app bundle in /Library/Apple/System/Library/CoreServices, in macOS 10.15 Catalina and later. It contains individual executable scanning modules, one of which covers old malware that MRT dealt with. Its first standalone update on 17 June 2022 brought the total of its named malware scanners to eight, and it has grown steadily ever since to a total of 22 in its current version 122.

...

RedPine, added in 114 on 12 October 2023, believed to cover TriangleDB malware;

I'm not going to suggest that I've given you an exhaustive breakdown on what's happening such that you could elevator speech the important parts to someone else (usually my goal), but I think that's enough of a lead for us to figure it out if we wanted to.

In any event, I think this...

Says the process is likely legit.
- ("likely" because you could always name your malware after something legit)
Makes me think the "efficiency cores" are very efficient, because otherwise this would've killed my battery.
- Though weird that a process looking for in-memory malware would use so much CPU for so long. 🤔

Eh, kinda interesting. I guess this sort of topic helps explain why my blog makes the big bucks.

Labels: apple, security

I used a Henge Dock for my old Intel MacBook and, other than some scratches on about 40% of the outside of the laptop's cover, surprisingly really liked it. It was a real space-saver for the desk. Though I'd rather have had the laptop screen available in addition to the external monitor, I didn't use it that often at the desk, and the dock was a great compromise.

Fast-forward a bit to me buying an M1 MacBook Air. I've been jealously eyeing the new-ish Brydge Vertical Dock since the M1 design was still housing Intel processors. Brydge apparently bought out Henge, and they're doing slightly fancier versions of the same sort of clamshell docks, but, um, wow did it get expensive!

Good things come to those who wait for the price to drop, and I recently bagged one on Amazon for the M1 for around $30, down from a height of $275!!!

But that's not why you're here. You're here because you might've done the same and you want to know why you can't get your MacBook to display to an external monitor. You've plugged in a keyboard and/or mouse, slammed shift and the mouse buttons, and nothing. Is your HDMI cord bad? Is the Mac still asleep? Is there a setting that you needed to set?

NO!! It's so much simpler!!! You have to have it plugged into a power supply!!

Or, more to the point, clamshell mode doesn't work when the MacBook is on battery power.

Why not when it'll run for 5-8 hours on the battery? And how useful would it be to be able to test that the dock is working before setting up a power supply behind the desk? Very. Or maybe you just want to use the paltry two USB-C ports for something other than power or a dock with power pass-through. TOO BAD!

I have no idea why clamshell on battery doesn't work and isn't, afaict, even a setting. But it doesn't.

I've done this twice now after not using the Brydge for a few months in between. /sigh (Told you using the MacBook with the external monitor is rare.)

Labels: dock, macbook air

title: Put the knife down and take a green herb, dude.	descrip: One feller's views on the state of everyday computer science & its application (and now, OTHER STUFF) who isn't rich enough to shell out for www.myfreakinfirst-andlast-name.com Using 89% of the same design the blog had in 2001.
FOR ENTERTAINMENT PURPOSES ONLY!!! Back-up your data and, when you bike, always wear white. As an Amazon Associate, I earn from qualifying purchases. Affiliate links in green.

Saturday, June 22, 2024
What's XProtectRemediatorRedPine on macOS? I recently had a process called `XProtectRemediatorRedPine` eating 95% of one CPU core on my MacBook Air when it wasn't plugged in. That name seemed... strange, and I wondered if it was legit. Turns out it's probably Apple looking for malware. The Secrets of XProtectRemediator Found a blog post called "The Secrets of XProtectRemediator" that has a section called "Reverse Engineering the RedPine Remediator. They apparently picked the Red Pine remediator at random... With all that background out the way, let’s open up one of the XPR scanners in Binary Ninja and actually see what this looks like. There’s no particular reason for choosing RedPine, they all look pretty much the same. ... Since there are 24 remediators, I won’t cover them all in detail. In a results section, they give the "notable results" on Red Pine (and a few others): Now this one I’m not totally confident about, but it’s givinggg TriangleDB from Operation Triangulation5. I wonder where Red Pines grow? 🦅🇺🇸 What is TriangleDB? And there's a link included with more on TriangleDB, which is probably the most interesting link in this blog post. Here's a snippet: The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers. ... Once the implant launches, it starts communicating with the C2 server, using the Protobuf library for exchanging data. The configuration of the implant contains two servers: the primary and the fallback (contained in the lS and lSf configuration fields). ... The C2 server responds to heartbeat messages with commands. Commands are transferred as Protobuf messages that have type names starting with CRX. The meaning of these names is obscure: for example, the command listing directories is called CRXShowTables, and changing C2 server addresses is handled by the command CRXConfigureDBServer. In total, the implant we analyzed has 24 commands designed for: Interacting with the filesystem (creation, modification, exfiltration and removal of files); Interacting with processes (listing and terminating them); Dumping the victim’s keychain items, which can be useful for harvesting victim credentials; Monitoring the victim’s geolocation; Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory. [emphais mine -mfn] Overview/quick history of XProtect The relationship of Red Pines to TriangleDB is supported by another source titled "The Three XProtects of Christmas". It also gives us a good, quick overview of the XProtect system as a whole. By 2021, Apple had decided to replace MRT with something more modern and capable. The first version of XProtect Remediator was installed in macOS Monterey 12.3 on 14 March 2022, and over the following summer it grew to replace MRT, which was last updated on 29 April 2022, and is now no longer installed with macOS although it may still be obtained as an update. XProtect Remediator (XPR) is installed and updated outside macOS updates, in the XProtect.app bundle in /Library/Apple/System/Library/CoreServices, in macOS 10.15 Catalina and later. It contains individual executable scanning modules, one of which covers old malware that MRT dealt with. Its first standalone update on 17 June 2022 brought the total of its named malware scanners to eight, and it has grown steadily ever since to a total of 22 in its current version 122. ... RedPine, added in 114 on 12 October 2023, believed to cover TriangleDB malware; I'm not going to suggest that I've given you an exhaustive breakdown on what's happening such that you could elevator speech the important parts to someone else (usually my goal), but I think that's enough of a lead for us to figure it out if we wanted to. In any event, I think this... Says the process is likely legit. ("likely" because you could always name your malware after something legit) Makes me think the "efficiency cores" are very efficient, because otherwise this would've killed my battery. Though weird that a process looking for in-memory malware would use so much CPU for so long. 🤔 Eh, kinda interesting. I guess this sort of topic helps explain why my blog makes the big bucks. Labels: apple, security posted by ruffin at 6/22/2024 09:35:00 AM

Wednesday, June 19, 2024
Fixing AirDrop from iPhone to macOS Does AirDrop seem to hang when you're sending photos from your iPhone to your Mac? Welp, add "Bringing Devices Together" (I think where you can AirDrop by proximity between two iPhones) to the Apple Fail archives. After an Apple Support chat session, the agent mentioned something about "bringing the devices together" - I think they assumed the transfer was between 2 iOS devices. iOS device > General > AirDrop > Bringing Devices Together I believe it is on by default when upgrading to whichever iOS release contained NameDrop. I manually & specifically turned OFF the setting because of recent "security" articles about the new NameDrop capability I had this setting turned ON, specifically because I did a contact transfer a week or 2 ago. And accidentally left it on. Toggling it off, retrying the AirDrop, and it worked. Seriously, who is in charge of QA/QC at Apple? How is sending photos from an iPhone to a Mac not on your integration test list? Labels: airdrop, apple fail, qa posted by ruffin at 6/19/2024 05:31:00 PM

Monday, June 10, 2024
Email corpora for testing Okay, was looking for email corpi (corpuses? No, apparently corpora) to run some tests, and found these... Test emails for a Ruby lib called Mail A single eml example file at the FlexConfirmMail for Thunderbird github site EDRM doesn't seem to have Enron any more (see below), but it does have its EDRM Public Micro Dataset, which contains "4 email boxes with shared correspondence, threads and attachments" (and a lot more that's not email, but you have to grab the whole zip). Enron data, perhaps the most famous, large-ish email corpus. Its state is... complicated. EnronData.org sounds promising, but links are broken. FoundationDB claims to have it but that's from Archive.org. Carnegie Mellon hosts it but has removed anyone who requested they do so. Prior versions of the dataset are no longer being distributed. If you are using the March 2, 2004 Version; the August 21, 2009 Version; or the April 2, 2011 Version of this dataset for your work, you are requested to replace it with the newer version of the dataset below, or make the the appropriate changes to your local copy. It's still plenty for testing The Library of Congress (!!) has a copy with everyone, but no attachments. Okay, they say they don't have everyone either, though I found a few at LoC that were not at Carnegie Mellon... The dataset here does not include attachments, and some messages have been deleted "as part of a redaction effort due to requests from affected employees". Invalid email addresses were converted to something of the form user@enron.com whenever possible (i.e., recipient is specified in some parse-able format like "Doe, John" or "Mary K. Smith") and to no_address@enron.com when no recipient was specified." Carnegie Mellon says that EDRM has it with attachments ("A version of the dataset with all attachments is available from EDRM.*"), but that URL is dead. Check the licenses for each and enjoy. Labels: email, fyi, testing posted by ruffin at 6/10/2024 05:14:00 PM

Thursday, June 06, 2024
Why your MacBook isn't waking in clamshell/your new Brydge dock I used a Henge Dock for my old Intel MacBook and, other than some scratches on about 40% of the outside of the laptop's cover, surprisingly really liked it. It was a real space-saver for the desk. Though I'd rather have had the laptop screen available in addition to the external monitor, I didn't use it that often at the desk, and the dock was a great compromise. Fast-forward a bit to me buying an M1 MacBook Air. I've been jealously eyeing the new-ish Brydge Vertical Dock since the M1 design was still housing Intel processors. Brydge apparently bought out Henge, and they're doing slightly fancier versions of the same sort of clamshell docks, but, um, wow did it get expensive! Good things come to those who wait for the price to drop, and I recently bagged one on Amazon for the M1 for around $30, down from a height of $275!!! But that's not why you're here. You're here because you might've done the same and you want to know why you can't get your MacBook to display to an external monitor. You've plugged in a keyboard and/or mouse, slammed shift and the mouse buttons, and nothing. Is your HDMI cord bad? Is the Mac still asleep? Is there a setting that you needed to set? NO!! It's so much simpler!!! You have to have it plugged into a power supply!! Or, more to the point, clamshell mode doesn't work when the MacBook is on battery power. Why not when it'll run for 5-8 hours on the battery? And how useful would it be to be able to test that the dock is working before setting up a power supply behind the desk? Very. Or maybe you just want to use the paltry two USB-C ports for something other than power or a dock with power pass-through. TOO BAD! I have no idea why clamshell on battery doesn't work and isn't, afaict, even a setting. But it doesn't. I've done this twice now after not using the Brydge for a few months in between. /sigh (Told you using the MacBook with the external monitor is rare.) Labels: dock, macbook air posted by ruffin at 6/06/2024 04:41:00 PM

<< Older \| Newer >>

x MarkUpDown is the best Markdown editor for professionals on Windows 10. It includes two-pane live preview, in-app uploads to imgur for image hosting, and MultiMarkdown table support. Features you won't find anywhere else include... MarkUpDown Multiline Table & Bootstrap Grid support. Beautiful Easy Actions that keep the Markdown flowing. HTML paste to paste HTML source into your documents. You've wasted more than $15 of your time looking for a great Markdown editor. Stop looking. MarkUpDown is the app you're looking for. Learn more or head over to the 'Store now!