Interesting Mac malware/hack failure Mojave install

Passing on a disturbing attempt at hacking/malware on a Mac during upgrade to Mojave.

OK, so this is what I know so far…

Computer knowledgeable friend got a notification to upgrade his iMac running latest High Sierra to Mojave. He’s been putting it off ro a while because of the time. Decided to fire it up and left for a couple of hours.

GOt error mesages that some of the resources were not available and the install failed. When he rebooted it came up in a Ubuntu system and he realized at that point that something was hosed.

Called us but before we managed to get over there (across the valley and we had sheep and dogs to feed first) he’d decided to try to boot from the Internet Recovery and reinstall that way.

Which apparently worked.

Trying to back into what happened we found this: He had gotten an e-mail from a trusted source with an attached PDF file. When he tried to open it he got a screen that “For best experience with this PDF portfolio click on Foxit Reader to download and install Foxit Phantom 6.0 or later” Because it was a new person but trusted (a rather major institution on the east coast) he clicked on it and got the Foxit Reader Installed on his mac.

Then the notification to install Mojave was subtly different. When he selected to go ahead and install he can’t remember exactly but it was not the same as the standard official Mojave install screen.

After the recovery boot/install off the Internet he has a new Ubuntu partition on his internal hard drive according to Disk Utility.

He had taken the precaution of disconnecting his Time Machine drive before the install and that is stil intact.

What I’ve suggested is that he first craete a bootable drive using CCC of the system as it is. Then create a bootable drive excluding that Unbuntu partition. and then try to erase that partition and then reinstall from his time machine BU.

He kept the offending PDF, the hex dump of the PDF, and more data if anyone wants to pursue this.

I’d really like to know how it came up in Ubuntu and mostly also wanted to alert folks to a potential malware/hack issue.

edited to remove worst of the typos

edited to fix Ubunto Ubuntu typos

Foxit PDF Reader itself is a decent PDF application which I use on my Windows systems. It sounds like the link sent him to a download of a cracked version which did something to his operating system (and he entered his admin password probably a few times too many as part of this 'install"). I would highly recommend anyone downloading software they haven’t heard of before, or getting it from an intermediary verify the checksum, etc. - I know this isn’t the most user friendly way (though if you download from the Mac App Store Apple should have your back), but it is secure.

Unless the whole thing was a scam then I would think that the PDF was just an unfortunate bystander.

Is Ubunto a (consistent) typo, or do you mean Ubuntu, a free and open source operating system and Linux distribution based on Debian?

(If not, I’d like to know more about Ubunto)

Is the person sure (s)he never installed Ubuntu on a separate partition before?

Consistent typo, I’ll go fix it, sorry. Can you tell I’m not the Linux/Ubuntu person in the house?

Yes, absolutely sure about never installing any Linux distribution on that machine at all.

Did he contact the trusted organization you refer to? It seems to me they would want to know something maybe amiss on their sidd too.

He is planning to. He is not usually caught by such things. He’s been working, designing software and programming computers longer than I would bet that most of the folks here have been alive. He’s one of the original 3 people who developed the computer game Spacewar!

https://en.wikipedia.org/wiki/Spacewar!

My friend is Wayne.

I think the Ubuntu partition may be associated with some sort of attempted ransom ware attack. The bad actor would install a minimal Ubuntu installation, then encrypt the data on the macOS partition. Unless the victim pays, he or she isn’t able to access their data.

There are several concerns here:

• Who was the true sender of the email?
• Was the pdf a pdf, or a file named to look like a pdf?
• When did the infection happen? The user could have downloaded malware some time back and it has just now been activated.

I think making a CCC backup and reinstalling from that is not the way to go, as it could transfer the infected files to the backup.

Also of concern is if the infected file(s) are already on the Time Machine backup.

At a minimum, I think booting from and installing from the internet is a wise choice. After that, some sort of system check for virus/malware/etc. Which (thankfully) I don’t have any experience with on the Mac.

True Sender - Smithsonian verified by headers and IP addy as much as possible,
Was a real PDF but had more than that in it based on the hex file dump and comparison to valid PDF files.
Based on time stamps (potentially modified) all the changes on the hard drive happened at the install of the Foxit SW. The trigger after that was a false notification to upgrade to Mojave.

Good point about the infected files possibly on Time Machine. He was planning on going back to before he installed the Foxit stuff.

What does VirusTotal report if you upload the PDF file there?

(I’m not sure the scanners used there also check macOS malware, but it might be worth trying?)

Latest update: We’re now way beyond my ability to comment or help once he started talking about command line erasing partitions.

"Turns out that the Apple disk utility app cannot see the Linux FS partition! I recall that when doing the restore over the internet the disk utility could see it as “Basic code partition” label. Hmmm. However, the command line tool diskutil can see it and identifies it as a Linux FS. The tool gpt can also see it. On my iMac it is disk0s4. So it appears that most users would be unaware of its existence. And CCC cannot see the partition either; so when I clone to a backup disk the Linux FS should not be copied. We’ll see what happens when I get my new backup disk.

I guess I shall have to use diskutil to delete the partition: sudo diskutil eraseVolume free free disk0s4 . Any advice on this?"

So… any other users with ideas?