Passing on a disturbing attempt at hacking/malware on a Mac during upgrade to Mojave.
OK, so this is what I know so far…
Computer knowledgeable friend got a notification to upgrade his iMac running latest High Sierra to Mojave. He’s been putting it off ro a while because of the time. Decided to fire it up and left for a couple of hours.
GOt error mesages that some of the resources were not available and the install failed. When he rebooted it came up in a Ubuntu system and he realized at that point that something was hosed.
Called us but before we managed to get over there (across the valley and we had sheep and dogs to feed first) he’d decided to try to boot from the Internet Recovery and reinstall that way.
Which apparently worked.
Trying to back into what happened we found this: He had gotten an e-mail from a trusted source with an attached PDF file. When he tried to open it he got a screen that “For best experience with this PDF portfolio click on Foxit Reader to download and install Foxit Phantom 6.0 or later” Because it was a new person but trusted (a rather major institution on the east coast) he clicked on it and got the Foxit Reader Installed on his mac.
Then the notification to install Mojave was subtly different. When he selected to go ahead and install he can’t remember exactly but it was not the same as the standard official Mojave install screen.
After the recovery boot/install off the Internet he has a new Ubuntu partition on his internal hard drive according to Disk Utility.
He had taken the precaution of disconnecting his Time Machine drive before the install and that is stil intact.
What I’ve suggested is that he first craete a bootable drive using CCC of the system as it is. Then create a bootable drive excluding that Unbuntu partition. and then try to erase that partition and then reinstall from his time machine BU.
He kept the offending PDF, the hex dump of the PDF, and more data if anyone wants to pursue this.
I’d really like to know how it came up in Ubuntu and mostly also wanted to alert folks to a potential malware/hack issue.
edited to remove worst of the typos
edited to fix Ubunto Ubuntu typos