Apple’s little known malware removal tool gets a signature update. But what is this new malware family MACOS.35846e4? Find out on this journey inside MRT
We’ve noted before that Apple’s built-in security technologies have been missing some updates of late, and we weren’t the only ones. So, when Apple dropped a couple of updates to MRT and XProtect last week, the macOS community raised a collective eyebrow of interest. With XProtect having hardly seen a significant update since March of 2018, there were high hopes that Apple were finally playing catch-up with the rounds of macOS malware that have appeared since XProtect’s last update.
Scratch for MRT app is a free Android Education app, has been published by XBOT on December 13, 2018. Scratch for MRT 1.0.5 is latest version of Scratch for MRT app updated by CloudApks.com on October 05, 2020.
Charles, thanks for this post. For a supposed anti-virus tool, MRT.app has to win some kind of award for user un-friendliness. Question: on every reboot, YaraScanService eats my machine alive during it’s scan operation. Is there any way I can throttle this back,. Mrt.exe is the main executable used to run the Microsoft Removal Tool. It is not a core Windows process, but should only be removed in case it is causing problems. The Microsoft Removal Tool was first released in 2005 for the Microsoft Windows operating system. MacOS - @hounychang - 我的 Mac 版本 10.13.6,今早重启后发现特别卡,打开任务管理器发现`YaraScanService`占用 CPU 超高,有时候可以暂用 80%以上请问有知道这个东西是干什么的吗?.
As it turned out, the updates were underwhelming on the one hand and curious on the other. XProtect merely received a bump for the minimum Flash player plug-in (now, minimum required version is 32.0.0) but otherwise added no new malware families, while MRT only added a single new malware family to its search-and-remove definitions, an item Apple designated
MACOS.35846e4
.The addition to MRT caused some consternation among macOS security enthusiasts as this nomenclature is unfamiliar to the wider macOS research community: what is the mysteriously named MACOS.35846e4? Were Apple discovering new malware and keeping the details from the wider security community? It wouldn’t be the first time they’ve been accused of such.
We decided to take a look at the MRT.app and find out for ourselves.
Inside MRT.app
The Malware Removal Tool (MRT.app) is an Apple application that lives in the CoreServices folder located in
/System/Library
, rather than the Applications or Utilities folders where user level programs are typically located. MRT.app is not intended for users to launch, and in fact has even been known to trigger a false positive from Apple’s own XProtect in certain circumstances.However, it does possess some command line options which allow it to be invoked either as an agent or daemon, and interestingly also may generate an error message related to the mysterious new malware family:
The error message doesn’t give us any clue as to what MACOS.35846e4 is though. Figuring out what MRT looks for requires a couple of different approaches. The first thing we need to do is grab a copy of the binary to play with. Even though we don’t plan to write to the binary and it’s protected by System Integrity Protection (which is designed to prevent modifications), working with a copy of a binary during analysis is just a habit that you should always adopt when reverse engineering. We can grab a copy of the binary by executing
ditto
to write a copy of the binary to the Desktop. sudo ditto MRT ~/Desktop/MRT_COPY
Pulling Strings
The first step in reverse engineering an executable file is usually to dump the plain text ASCII characters embedded in the file. Simply dumping the strings from the binary will often reveal hardcoded file paths. There’s a couple of ways to achieve this, but the built-in macOS utility, conveniently called
strings
, is probably the easiest. The strings
utility contains a stub by default that actually installs the full utility the first time you use it. Pass the -a
flag and the path to the file name, and output the strings to a new file: strings -a ~/Desktop/MRT_COPY > ~/Desktop/MRT_Strings.txt
App folder icon mac. You can scroll and search through the new file in a text editor of your choice. Note that the output is just a dump of every string in the binary, and there’s no way to automatically determine from this which strings are actually malware definitions and which are just strings used for other purposes in the binary. That said, many are obvious given a little experience, but it’s important to treat the output with caution until or unless you can verify a file path is related to malware from further checks.
Aside from the fact that there’s no intrinsic way to distinguish the strings from one another, there’s another problem: the strings don’t contain all of the definitions. And although we can search through the strings for the family name
MACOS.35846e4
, the output doesn’t give us any clear indication of the malware that it refers to.It’s time to dive a bit deeper.
Static Code Analysis
For this, you need a disassembler like Cutter or Hopper. In this example, we’ll use Hopper because it gives a slightly cleaner and easier to read output. Open itunes app on mac.
We begin by searching for references to the string
35846e4
in Hopper’s string’s section. From here, we find a reference to the string being loaded into the
rdi
register. That’s interesting! One of the uses of the rdi
register is to hold the first argument in a call to an Objective-C function. Switching to Hopper’s pseudocode view shows us that the string is being loaded into the register from within another function sub_1000ca9a0
, where we find a treasure trove of ASCII characters hidden in byte code. This image shows one collection of 13 characters found in the function, each held in a separate variable:We can do a quick-and-dirty check to see if they’re interesting on the command line:
The string turns out to be
sendLogEvent:
which looks like an Objective-C method call due to the presence of the colon on the end. That’s enough to peek our interest. Scanning through the rest of the method, we see lots more individual variables holding hex values that map to ASCII character codes. To see what they hold, we’ll just dump the whole function into a text file and do some text manipulation to isolate and translate the hex values. This results in the following strings:We recognize some of these as classic adware strings, so it seems that MACOS.35846e4 is some form of new adware. Let’s check out VirusTotal and see if we get any matches.
Old Adware, New Variant
Fortunately for us in this case, we get a bunch of hits:
What Is Mrt.app On A Macbook
This is a family of adware that’s been around a long time but was updated after the release of macOS 10.14 Mojave to take into account Apple’s implementation of new user protections. The adware appears to users under various names like “MacSecurityPlus” and “MacOSDefender.
There’s a hidden folder at
~/Library/Application Support/.dir
that contains an application called “CompanyUpdater”. A persistence agent in the user’s Library LaunchAgents folder executes a process called “Dock” to ensure the infection is reinstalled if removed. The adware will also try to install browser extensions in Chrome, Firefox and Safari, typically called something like “AnySearch” or “DefaultSearch”. Conclusion
In this post, we’ve gotten to the bottom of the mystery of Apple’s update to Malware Removal Tool, though not to why Apple tried to obscure this particular detection. It also remains a mystery why Apple are continuing to update MRT while leaving XProtect practically moribund. For users and endpoints, given the amount of new malware that has arisen in the last year that neither XProtect nor MRT recognizes, it remains a wise choice to ensure you have a more robust security solution installed on your Mac computers.
Like this article? Uninstall bluestacks app player mac. Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.
Read more about macOS Security
Date: 12th July 2017
- new update support Vivo x9s plus and y53
- oppo f3 support in MRT MTK tools and f3 plus is Qualcomm CPU so in oppo QC
- Vivo QC add y53 and x9s support
- f3 support ofp factory flash tool (need download MRT oppo f3 factory cracker tool)
- Vivo y67 add new EMMC flash ic,support y67a also now!!!
- all is alive in the MRT download cent
Date: 22nd June 2017
- new add Meizu max x e unlock a new way
- new add Vivo v5s
- new add Gionee phones in the MTK tools
- new add oppo r11 unlock support
- <in face is qualcomm cpu,and same as r11 plus,but no have set in the hand,if you need unlock this you can try>
Date: 8th June 2017
- Add Meizu M3X Meilan X account support
- Add VIVO V5 full support
- Add Gionee X20 X25 Full Support
- LeEco account remove add X520 X528 Support
- MRT download server add xm_edl_pinout software this is free for all
- support all the xiao mi even Miui 8.2 system into edl mode
- MTK add write recovery file with this you can flash twrp or others recovery, and in the 3rd recovery you can remove password by adb
Date: 8th May 2017
- Added Qualcomm tool
- Huawei DIG-AL00 Unlock
- One plus a3010 unlock
- xpaly6 unlock
- add Vivo oppo MTK Qualcomm IMEI repair
- fix some bugs
Date: 21st March 2017
• Adjust oppo QC format (unlock) new function,
• Added Huawei 2016~2017 new models FRP remove and account remove(like mate9)
• Added FB tool ver 1.4
• Bugs fixed in the previous version
MRT VER 1.70 NEW Update
• Adjust oppo QC format (unlock) new function,
• Added Huawei 2016~2017 new models FRP remove and account remove(like mate9)
• Added FB tool ver 1.4
• Bugs fixed in the previous version
MRT VER 1.70 NEW Update
Date: 4th March 2017
- The new update added a lot of OPPO Qualcomm Mobile Unlock With OneClick (Supported - Account Remove and Password Remove
- Add Huawei Flashing by fast boot mode <flashfile is updated app> It's Beta software
- Add a lot new inside you can feel it
- Fixed some as known bugs
- Note: All the MRT must use this new version for UNLOCKCASE
Date: 5th Jan 2017
- New update add service2 and move the service, now run the software faster
- New update support mtk remove frp<old CPU and new CPU all are support>
- New update support oppo r9s a57 and more<qualcomm cpu>
- New update adjust oppo r7 full <like r7s r7p..> all the oppo form r7 start mtk chip
- New update support vivo x9 y55a y66 and others new mobile
- New update support Meizu note5 5 6s x and more
- New update mtk cpu support mt6757
Date: 15th Nov 2016
- The New Update Add Meizu Pro6s support
- The New Update Add MeiLan 5 Support
- MTK Tools Add Huawei option,Support Huawei new Model
- MTK Tools add Oppo Option,Support Oppo New modle<FRP and Unlock Just one click,flashread flashimei change also support>
- Tip:OPPO new model when you connect it need hold vol up key!!!
- MRT-HW Tools Update to Ver 2.1
- Support More model(Qualcomm and Hisilicon CPU)
MRT Ver 1.33 New update
Date: 1st Nov 2016
- The new Update adds Huawei new function with fast boot
- Stable Huawei service
- fix some bugs in the mrt-dongle
Date: 26th Oct 2016
- Fixed some bugs, and now Meizu Note2 after unlocking 100% working.
- Adjust HUAWEI software
- Fixed some bugs in the previous version
Date: 21th Oct 2016
- New Full Support X20/X25 encrypt Boot and Huawei and More
Date: 6th Oct 2016
- New Update Fix MTK X20 X25 CPU Some Bugs
MRT Ver 1.25 New update
Date: 30th Sep 2016
MRT Ver 1.23 New Update
MRT Ver 1.23 New Update
Date: 22nd Sep 2016
MRT Ver 1.19 New Update
MRT Ver 1.19 New Update
Date: 16th Sep 2016
MRT Ver 1.17 New Update
MRT Ver 1.17 New Update
Date: 22nd June 2016
For MI Phone Unlock & Flash and more Version, 1.3 Released
For MI Phone Unlock & Flash and more Version, 1.3 Released
Mrt.app Mac Os
Date: 8th June 2016
- MTK Special Tool V1.6 By MRT--BBK VIVO/OPPO/ HongMi FRP Unlock Support and More