I've also captured traffic that is malformed coming into my brand new Mac Apple Silicon. Port 7000 was open and bound to ControlCenter. The traffic I've captured (PCAP) respembles the airplay protocol RTSP. using a blist00 tag followed by a payload.
Interestingly, the attack traffic (dport 7000) has TCP options set. They are 12 bytes. 0101 and then 10 more bytes for an array of two timestamps. I'm pretty sure this is part of the attack payload.
Post
Replies
Boosts
Views
Activity
Yes, I just stumbled on it when looking at unfamiliar ASPCarry on my M1, 22D49
foo@bar-MacBook-Pro ~ % sudo launchctl list
1239 0 com.apple.nand.aspcarry
sudo launchctl procinfo 1239
program path = /usr/libexec/ASPCarryLog
system/com.apple.nand.aspcarry = {
active count = 2
path = /System/Library/LaunchDaemons/com.apple.nand.aspcarry.plist
From Logs
log show --predicate ' eventMessage CONTAINS "nand"'
Acquiring assertion targeting [osservice<com.apple.nand.aspcarry>:1049] from originator [osservice<com.apple.powerd>:320] with description <RBSAssertionDescriptor| "App is holding power assertion" ID:385-320-883 target:1049 attributes:[
<RBSDomainAttribute| domain:"com.apple.appnap" name:"PowerAssertion" sourceEnvironment:"(null)">,
<RBSAcquisitionCompletionAttribute| policy:AfterApplication>
]>
This is about as far as I've gotten when I saw this post.