Loki / Thor / Mojo are a triad of Apple internal tools and malware that infects the SMC, EFI and macOS of Apple MacBooks.

It is believed that direct access to the hardware is gained by re-flashing the Thunderbolt controller (via ThorUtil)

• T2/T2.md
• Firmware/INFO.md - information about Thor's firmware and comparison against a "known good". Four SMC encrypted payloads differ: 5CE0F1, 5CECE9, 5CFAB5, 5D1751 and a few submodules.
• Firmware/INDEX.md - Index of modules and descriptions in the EFI volume.
• Firmware/bad.fd - The "Thor / Loki" firmware from a known bad laptop
• notes.md - Notes and rants about various components, not fully finalized or proven.
• MojoKDP/mojo.kext - The MojoKDP kernel module pulled from a virtual machine kernel memory. Injected by DMA / uDMA
• MojoKDP/mojo.kext.S - Annotated disassembly
• ESP/APPLE - the contents of the machines EFI partition. The most interesting of note is in UPDATERS\\TBTH\\ThorUtil
• logs - Unusual install and system logs from a Thor infected system, much of my interpretation is in notes.md
• SMC - examples of the Apple *.smc format. See also smcutil

• IN PROGRESS:
  • EALF (EFI anti-loki file?) utility: efivalidate Open source version of eficheck
  • PEI/TE/VZ to PE tool: peiutil Tool to convert this to something Hopper understands: http://wiki.phoenix.com/wiki/index.php/Terse_Executable_Format
  • SMC tool: smcutil Tooling for extracting and examining the Apple SMC image.
  • EARLY: HuffDiff (Intel ME difference util): huffdiff
  • EARLY: Loki Removal Tool: lokiremove
• MacBooks now force internet recovery to High Sierra. An effort to patch older EFI and implement eficheck
• Duo Labs can check your EFI pre 10.13 with EFIgy
• /usr/libexec/firmwarecheckers/eficheck/eficheck - High Sierra utility to extract and redact your firmware image.
• macOS defaults to latest firmware and patches, thereby including eficheck Reinstalling macOS changed with 10.12.4
• CoreBoot for the ifdtool utility code and tools
• unhuffme tool for decoding the Intel ME regions of the flash. unhuffme

• macOS 10.12 and earlier: Boot into recovery, look for any output from ioreg | grep MojoKDP
• macOS 10.13 and later (from external / AirGap): sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check
  • Alternate, Use reFINd and BootRomFlash to extract the fimrware and check with eficheck or efivalidate on another machine
  • SUSPECT: Presence of /dev/tty.MALS and /dev/tty.SOC as the serial connection to MojoKDP (previous versions of macOS showed this as two LPSS Serial Adapter connections). SOC is likely a connection to the SMC.

• REcon 2014: Apple SMC, the place to be (for an implant)
• Duo security recently published a paper on rampant EFI on MacBooks not updating. I believe these machines may well have this malware or a close variant and are simply observing the persistence mechanism at work. The Apple of Your EFI
• Apple includes EFI verification (eficheck) to High Sierra final build [macOS High Sierra Weekly EFI Security Check] (https://www.macrumors.com/2017/09/25/macos-high-sierra-weekly-efi-security-check/)

• I brought a sample of the malware to both the Union Square Apple store, and they declined to assist citing customer data.
• I was unable to reach Apple's product security division (due to the malware likely), and did take the computer directly to their campus. The irony of eficheck now offering to allow you to submit samples is not lost on me. (The original submission number is 671195078)
  • REVISION: I've received acknowledgement after publication of this repo stating that the issue is under investigation