I recently had a process called XProtectRemediatorRedPine
eating 95% of one CPU core on my MacBook Air when it wasn't plugged in. That name seemed... strange, and I wondered if it was legit.
Turns out it's probably Apple looking for malware.
The Secrets of XProtectRemediator
Found a blog post called "The Secrets of XProtectRemediator" that has a section called "Reverse Engineering the RedPine Remediator. They apparently picked the Red Pine remediator at random...
With all that background out the way, let’s open up one of the XPR scanners in Binary Ninja and actually see what this looks like. There’s no particular reason for choosing RedPine, they all look pretty much the same.
...
Since there are 24 remediators, I won’t cover them all in detail.
In a results section, they give the "notable results" on Red Pine (and a few others):
Now this one I’m not totally confident about, but it’s givinggg TriangleDB from Operation Triangulation5. I wonder where Red Pines grow? π¦ πΊπΈ
What is TriangleDB?
And there's a link included with more on TriangleDB, which is probably the most interesting link in this blog post. Here's a snippet:
The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers.
...
Once the implant launches, it starts communicating with the C2 server, using the Protobuf library for exchanging data. The configuration of the implant contains two servers: the primary and the fallback (contained in the lS and lSf configuration fields).
...
The C2 server responds to heartbeat messages with commands. Commands are transferred as Protobuf messages that have type names starting with CRX. The meaning of these names is obscure: for example, the command listing directories is called CRXShowTables, and changing C2 server addresses is handled by the command CRXConfigureDBServer. In total, the implant we analyzed has 24 commands designed for:
- Interacting with the filesystem (creation, modification, exfiltration and removal of files);
- Interacting with processes (listing and terminating them);
- Dumping the victim’s keychain items, which can be useful for harvesting victim credentials;
- Monitoring the victim’s geolocation;
- Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory.
[emphais mine -mfn]
Overview/quick history of XProtect
The relationship of Red Pines to TriangleDB is supported by another source titled "The Three XProtects of Christmas". It also gives us a good, quick overview of the XProtect system as a whole.
By 2021, Apple had decided to replace MRT with something more modern and capable. The first version of XProtect Remediator was installed in macOS Monterey 12.3 on 14 March 2022, and over the following summer it grew to replace MRT, which was last updated on 29 April 2022, and is now no longer installed with macOS although it may still be obtained as an update.
XProtect Remediator (XPR) is installed and updated outside macOS updates, in the XProtect.app bundle in /Library/Apple/System/Library/CoreServices, in macOS 10.15 Catalina and later. It contains individual executable scanning modules, one of which covers old malware that MRT dealt with. Its first standalone update on 17 June 2022 brought the total of its named malware scanners to eight, and it has grown steadily ever since to a total of 22 in its current version 122.
...
RedPine, added in 114 on 12 October 2023, believed to cover TriangleDB malware;
I'm not going to suggest that I've given you an exhaustive breakdown on what's happening such that you could elevator speech the important parts to someone else (usually my goal), but I think that's enough of a lead for us to figure it out if we wanted to.
In any event, I think this...
- Says the process is likely legit.
- ("likely" because you could always name your malware after something legit)
- Makes me think the "efficiency cores" are very efficient, because otherwise this would've killed my battery.
- Though weird that a process looking for in-memory malware would use so much CPU for so long. π€
Eh, kinda interesting. I guess this sort of topic helps explain why my blog makes the big bucks.