Stupid question, but if I wanted to recreate Runa's analysis to learn these tools, where do I go to get it?
I clicked over to Wikileaks + Kapersky's post, interested in possibly writing a small shell script to automate running some of these commands on a given file as a weekend project, but it'd be hard to test such a tool w/o the original binary.
(Maybe it's just been a long day and I'm missing a plainly labeled link, and if so, I apologize for not RTFMing hard enough :) )
> But which version of OS X does the implant need? We know that it’s a 32-bit executable, and the latest macOS is 64-bit only. We can narrow this down further by looking at symbols using nm.
Not sure if it was useful in this case, but usually you can find this information in the Mach-O header.
NoScript on Firefox solves that problem. Yes it breaks a lot of pages, but then you get to fiddle about allowing and banning different scripts to see what's doing what. Probably not for everyone but I like the educational value.
[Edit] So that pop-up is coming from mailchimp_com, which is called by list-manage_com, which in turn is called by s3amazonaws_com. So blocking that last one is all you need.
In fact this is quite a great web site, as it displays all its content even if you completely disable all scripts.
It's funny I won't accept those "cookies" so I've gotten used to part of SO's screen real estate being taken. Or on a Ubuntu page I do F12/kill the popup... can put that in some kind of extension but ehh...
Where is it asserted/confirmed that Longhorn == CIA? I don't see it mentioned in the article nor the linked articles (not that I searched exhaustively).
The first line from the article:
In March 2017, WikiLeaks began publishing thousands of files detailing the CIA’s spying operations and hacking tools. The leak, known as Vault 7, was the largest disclosure of classified information in the agency’s history. In April, Symantec publicly linked Vault 7 to an advanced threat actor named Longhorn. Kaspersky then announced it tracks the same actor as The Lamberts, and revealed the existence of an OS X implant called Green Lambert.
[+] [-] dontbenebby|4 years ago|reply
I clicked over to Wikileaks + Kapersky's post, interested in possibly writing a small shell script to automate running some of these commands on a given file as a weekend project, but it'd be hard to test such a tool w/o the original binary.
(Maybe it's just been a long day and I'm missing a plainly labeled link, and if so, I apologize for not RTFMing hard enough :) )
[+] [-] saagarjha|4 years ago|reply
Not sure if it was useful in this case, but usually you can find this information in the Mach-O header.
[+] [-] sneeeeeed|4 years ago|reply
[deleted]
[+] [-] junon|4 years ago|reply
[+] [-] photochemsyn|4 years ago|reply
[Edit] So that pop-up is coming from mailchimp_com, which is called by list-manage_com, which in turn is called by s3amazonaws_com. So blocking that last one is all you need.
In fact this is quite a great web site, as it displays all its content even if you completely disable all scripts.
[+] [-] simion314|4 years ago|reply
[+] [-] devwastaken|4 years ago|reply
[+] [-] amatecha|4 years ago|reply
[+] [-] jcun4128|4 years ago|reply
[+] [-] throaway46546|4 years ago|reply
[+] [-] unstatusthequo|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] dalrympm|4 years ago|reply
pu;dr ?
[+] [-] amatecha|4 years ago|reply
[+] [-] BrianGragg|4 years ago|reply