Removing Malware from Motherboard

[hugohutte]

Hi guys,
I have a rather unusual question for you. My friend owns a late-2013 MBP which has been infected with some pretty sophisticated malware. We've replaced the SSD with a fresh one and reinstalled Catalina to no avail, so it seems the motherboard itself has been compromised. I've also tried resetting the firmware, NVRAM, and SMC but it still persists. I guess once malware has gotten in at the hardware level it's able to prevent it's own removal.

So my question - in which parts of the motherboard would something like this be able to hide? Is it technically/economically feasible to swap out these parts in order to avoid buying a replacement motherboard? Is there anything else I should try before resorting to this?

I've asked this question elsewhere and have been met with incredulity, but we're 100% sure of the presence of the malware. It's sort of an odd story... she has a friend who is a security researcher and he infected her machine as a sort of gag. Each time we've tried to remove it he's been able to prove that he can still monitor her activity. He thinks it's hilarious but it's really driving her crazy.

Thanks in advance for your advice!


Model details:

• MacBook Pro 15-Inch "Core i7" 2.3 Late 2013 (DG)
• MacBookPro11,3 / A1398

 

[2informaticos]

First of all, welcome to the forum!

I can't say to much, if you didn't tell us which kind of software problem noted on the machine.

Flashing BIOS and replacing SSD will erase any kind of "persistent memory" from the board.

 

[hugohutte]

Hey thanks, glad to be here!

There are no software symptoms. The "attacker" (her friend) is able to reliably tell her what she's been up to on the machine. What websites she visits, the things she's working on in Illustrator (she's a graphic designer), etc.

Is there a way to flash the BIOS on a Macbook? My understanding was that firmware updates are performed by the MacOS installer, so I reverted back to an old version of MacOS (Sierra, I believe) and then upgraded back to Catalina. The idea was to revert to an old firmware, and then the Catalina installer would flash it to the latest version. Is there a way to perform firmware updates manually?

Otherwise, I guess what I was asking was whether it's possible to acquire a used firmware chip and have a local repair shop replace it directly on the board. Is that even feasible?

 

[2informaticos]

Her ex-friend probably knows her and what she does normally on the computer.
Like her job and most visited websites.
I doubt he exactly can tell where she browsed at which time.

However, flashing BIOS and erasing SSD at same time, will avoid any backdoor malware possible.
An upgrade to newer macOS doesn't flash entire BIOS.

Changing BIOS chip is not the correct way.
In such case, ME region MUST be cleaned.
The same chip on the machine can be flashed with new file (clean ME of course).
A good repair shop knows how to do it correctly.

 

[piernov]

Harassment should be reported to the relevant authorities, that's not a problem you solve by messing with a laptop board…
In any case either the laptop is enrolled in MDM or the owner of the machine uses the same set of accounts, passwords or apps after reinstalling that have been compromised by the attacker.
Or none of that and is just being paranoid, which pretty unfortunately happens under harassment (hence why the first point is important).

 

[hugohutte]

Harassment should be reported to the relevant authorities

Yea, that's what I told her too. She thinks it will only make things worse and we're not sure how to definitively prove it without a very expensive and lengthy forensics process. If she could afford that she'd just buy a new laptop.

Can anyone recommend any openly available tools to flash a Macbook Pro firmware? Is any special equipment necessary to do this? Also, does Apple provide official firmware binaries somewhere? I can't seem to find any.

 

[2informaticos]

Did she change all the passwords for emails and other online accounts?

The BIOS file should be already posted on the forum.
Check against 820-xxxx code of the board.

 

[hugohutte]

Yes, she's changed her passwords.

I'll check the board code and see if I can find a firmware. Is there a tool I'll need to buy in order to flash the BIOS?

 

[2informaticos]

Some tools to read/write BIOS onboard exist; like Medusa programmer.
Not a good deal to solve one machine only.
Simple CH341 programmer can do the job, extracting SPI chip (U6100).

BIOS file is probably posted on the forum.

 

[hugohutte]

Awesome. This should be enough to get me started. Thank you!

 

[Blackmambo90]

Just a guess... do by any chances he have maybe access to her router?