Loki / Thor / Mojo are a triad of Apple internal tools and malware that infects the SMC, EFI and macOS of Apple MacBooks.
It is believed that direct access to the hardware is gained by re-flashing the Thunderbolt controller (via ThorUtil)
- T2/T2.md
- Firmware/INFO.md - information about Thor's firmware and comparison against a "known good". Four SMC encrypted payloads differ:
5CE0F1,5CECE9,5CFAB5,5D1751and a few submodules. - Firmware/INDEX.md - Index of modules and descriptions in the EFI volume.
- Firmware/bad.fd - The "Thor / Loki" firmware from a known bad laptop
- notes.md - Notes and rants about various components, not fully finalized or proven.
- MojoKDP/mojo.kext - The MojoKDP kernel module pulled from a virtual machine kernel memory. Injected by DMA / uDMA
- MojoKDP/mojo.kext.S - Annotated disassembly
- ESP/APPLE - the contents of the machines EFI partition. The most interesting of note is in
UPDATERS\\TBTH\\ThorUtil - logs - Unusual install and system logs from a Thor infected system, much of my interpretation is in notes.md
- SMC - examples of the Apple *.smc format. See also smcutil
- IN PROGRESS:
- EALF (EFI anti-loki file?) utility:
efivalidateOpen source version ofeficheck - PEI/TE/VZ to PE tool:
peiutilTool to convert this to something Hopper understands: http://wiki.phoenix.com/wiki/index.php/Terse_Executable_Format - SMC tool:
smcutilTooling for extracting and examining the Apple SMC image. - EARLY: HuffDiff (Intel ME difference util):
huffdiff - EARLY: Loki Removal Tool:
lokiremove
- EALF (EFI anti-loki file?) utility:
- MacBooks now force internet recovery to High Sierra. An effort to patch older EFI and implement
eficheck - Duo Labs can check your EFI pre 10.13 with EFIgy
/usr/libexec/firmwarecheckers/eficheck/eficheck- High Sierra utility to extract and redact your firmware image.- macOS defaults to latest firmware and patches, thereby including
eficheckReinstalling macOS changed with 10.12.4 - CoreBoot for the
ifdtoolutility code and tools unhuffmetool for decoding the Intel ME regions of the flash. unhuffme
- macOS 10.12 and earlier: Boot into recovery, look for any output from
ioreg | grep MojoKDP - macOS 10.13 and later (from external / AirGap):
sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check- Alternate, Use reFINd and BootRomFlash to extract the fimrware and check with
eficheckorefivalidateon another machine - SUSPECT: Presence of
/dev/tty.MALSand/dev/tty.SOCas the serial connection to MojoKDP (previous versions of macOS showed this as two LPSS Serial Adapter connections). SOC is likely a connection to the SMC.
- Alternate, Use reFINd and BootRomFlash to extract the fimrware and check with
- REcon 2014: Apple SMC, the place to be (for an implant)
- Duo security recently published a paper on rampant EFI on MacBooks not updating. I believe these machines may well have this malware or a close variant and are simply observing the persistence mechanism at work. The Apple of Your EFI
- Apple includes EFI verification (eficheck) to High Sierra final build [macOS High Sierra Weekly EFI Security Check] (https://www.macrumors.com/2017/09/25/macos-high-sierra-weekly-efi-security-check/)
- I brought a sample of the malware to both the Union Square Apple store, and they declined to assist citing customer data.
- I was unable to reach Apple's product security division (due to the malware likely), and did take the computer directly to their campus. The irony of
efichecknow offering to allow you to submit samples is not lost on me. (The original submission number is 671195078)- REVISION: I've received acknowledgement after publication of this repo stating that the issue is under investigation