Der Starke 1.4 Companion User Guide
Der Starke is a diskless, EFI-persistent version of Triton. Once active on a target system, the implant executed within diskarbitrationd and typically performs network communications through a browser process so that PSPs like Little Snitch cannot easily detect it’s presence. This Companion User Guide is meant to supplement the Triton User Guide.
Mac OS X 10.7+
• Run tar -zxf DerStarkeBuilder.tar.gz
• Run derstarke_builder.pyz -c config.plist
• After building, a directory called DerStarkeDeployment_XXXX will be created; The following notable files will be present:
TRITON-XXXX/…………………..Triton-related build files
originalConfig.plist……………The build config
mkusb.sh………………………Script to create a USB drive with the disk image from this build
InstallImageFortargetID.iso……..Disk image containing implant installer
1. Insert a USB device to be formatted
4. Confirm that the USB device contains the following files:
4. Hold the power button for 10 seconds
5. Immediately hold down the option key after the system turns on
7. For MacBook Air 6,x and MacBook Pros 11,x, a special unlock driver will need to be loaded
Installer will automatically detect and load the driver, and the following text should appear:
2. Afer the machine reboot, the flash will be unlocked
9. If the screen says FAILURE start over, and be sure that the power button is held for
10. Once the installation is complete, the system will turn off, and a receipt may have been recorded to the USB device
11. If installing from a CD instead of a USB device, one more boot, while holding option may be necessary to remove the CD
Target ID: A number used to identify and manage the implant’s files and keys
Listening Post: The URL of the CGI script to which the implant will beacon
Minimum Beacon Interval: The minimum number of seconds between beacon attempts. Random jitter may increase any given beacon interval by up to 33% of the specified value.
Check URLs: A list of HTTP URLS that will be used to verify Internet connectivity before communication with an LP is attempted. A random URL is selected from this list during each beacon. It must return HTTP 200 in order for a beacon to occur.
Network Injection Target: Processes into which the implant may inject it’s networking bundle. The process list is scanned in the order specified. The first process found is used until it exits.
Full Authentication: Indicates whether or not the implant should use a fully authenticated SSL connection to the LP
(optional): A domain name that will be queried when the implant uninstalls.
(optional): The number of seconds the tool waits for a successful beacon before deciding to uninstall. The start of the wait time is either the first time Triton is injected into OSX, or the last successful beacon.
Period and Hibernation Date cannot both be set.
Hibernation Date: The UTC date after which Triton will be injected into diskarbitrationd during boot. Note that Hibernation Period and Hibernation Date cannot both be set.
Uninstall Date: The UTC date after which a system reboot will cause the implant to uninstall or deactivate
Triton portion of the implant can fail load before the EFI portion uninstalls. Booting into an unsupported operating system and kernel panics increment the warning count
Patch Firmware: A flag indicating whether or not the firmware should be unlocked to allow the implant to be securely deleted during an uninstalled. If set false, the implant will only deactive during an uninstall. If set true, this can add 10-45 secs to installation time depending on laptop.
Make Receipt File: A flag indicating whether or not an installation receipt should be generated.
Patch PEI for update persistence: A flag indicating whether or not to reinject the implant during an OSX firmware update. This option will write two extra implants to firmware and can add 15-30 secs of installation time.
INSTALLER STATUS CODES AND MESSAGES
The installer may output the following status codes:
• 0x80000002 — Firmware Append Error
• 0x80000005 — Firmware Out of Space Error
• 0x40020000 — Receipt Warning: The receipt could not be written to the installation media
• 0x40040000 — PEI Find Warning: Unable to find PEI Core. Update persistence will not be enabled.
During Install the following message indicates the installer detected a machine that can be unlocked by holding the power butter for 10 secs:
• ERROR: TRIGGER NOT NEEDED
• After an uninstall, the flash memory will be unlocked until an Apple firmware update is applied
• Secure deletion of implant is performed on the first system reboot after an uninstall is triggered. It increases boot time by 30-60 seconds. Since BIOS/EFI will need to flush NVRAM every 40-60 boots, it is reasonable to ocassionally see boots that take a longer amount of time.
is held down or power is lost during a secure delete of the implant, MacBooks mid 2012 and newer have run length fields that prevent the laptop from bricking. Parts of the implant may still forensically exist in firmware, but only as partial encrypted blobs. On laptops older than mid 2012, there is a possiblity of a corrupt firmware, but it has also been observed that secure deletes take less time on older hardware.
cause Der Starke to beacon several hours later than expected.