Can someone please explain this malware? Keeps reappearing after clicking delete.

[IK4 0]

Can someone please explain what this is or how to remove it? I click delete but it would reapear after a day or two.

Thanks!

[Marcos 5,087]

There was an issue rendering the html code as part of the alert but that's not what you've inquired about.

My understanding is that the trojan was detected by Web access protection in a cache upon syncing with iCloud. Honestly I'm not well versed in Apple products so I'd leave this to someone more experienced.

[alialki 0]

Can you tell me if you have a solution for this issue its been months that I am getting the same threat and keep deleting it and its very annoying to be honest

[Marcos 5,087]

1 minute ago, alialki said:

Can you tell me if you have a solution for this issue its been months that I am getting the same threat and keep deleting it and its very annoying to be honest

Please provide logs as well as a screenshot of the alert that you've been getting.

[IK4 0]

On 2/5/2024 at 10:34 AM, alialki said:

Can you tell me if you have a solution for this issue its been months that I am getting the same threat and keep deleting it and its very annoying to be honest

Unfortunately not, I've tried deleting the whole folder itself where ESET claims the threat is... no avail. It's very frustrating...

[IK4 0]

On 2/5/2024 at 10:36 AM, Marcos said:

Please provide logs as well as a screenshot of the alert that you've been getting.

07/02/2024, 11:35:16    Real-time file system protection    file    /Users/***/Library/Caches/CloudKit/com.apple.bird/d64f70849811a732120a73ed6701a7949e100499/Assets/187CA54F-379B-4E74-BFE3-BDD0BA59B5F8.016a42dfaac84eb497374d5ace6cc8aa4bb86aff47    HTML/ScrInject.B trojan    unable to clean    ***    Event occurred during an attempt to access the file by the application: /System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd (BB585E5C851F8C7A09877FDAEC00E3AC1F9758FF).         7. 2.2024 11:30:15

 

[Marcos 5,087]

Are you able to delete the detected file at the said path? If so and only real-time protection has problems removing it, please raise a support ticket.

[itman 1,667]

4 hours ago, IK4 said:

/System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd

It appears this is the source of the malicious script injection Eset is detecting. Since its a system process, Eset can't access it to perform remediation;

Quote

What is Cloudd on Mac?

Cloudd on Mac, like most processes ending with a d, is a daemon that runs in the background and handles system tasks. It is closely related to CloudKit, as the man page tells us. If you want to check the man page yourself, execute the following command in Terminal.man cloudd

Cloudkit is Apple's framework that allows macOS and third-party apps to store data on iCloud for syncing to other devices. It can also be used to sync your Mac's desktop and documents to other devices. The Cloudd process works whenever an application syncs data to or from iCloud on your Mac. You can locate Cloudd by opening Finder, clicking Go > Go to Folder from the top, and entering /system/library/privateframeworks/cloudkitdaemon.framework/support/cloudd.

https://iboysoft.com/wiki/cloudd.html

Edited February 7 by itman

[IK4 0]

On 2/5/2024 at 10:34 AM, alialki said:

Can you tell me if you have a solution for this issue its been months that I am getting the same threat and keep deleting it and its very annoying to be honest

I'll be honest, the only way I have found to delete it is to do a full factory reset of the Mac. Then install ESET straight after the install which still picks up the threat even after a full reset. ESET was then successfully able to remove the threat. Wonder how it still managed to stay? The message hasn't appeared for a couple of days now - hopefully it's gone.