Friday, March 25, 2022

GIMMICK: Discovered in Late 2021 Custom Chinese Malware In A Cyber Espionage Campaign

Intro: Well in hindsight, at least we know now months after the fact. . .the malware initializes by performing several data decoding steps and eventually establishes a session to Google Drive, using hard-coded OAuth2 credentials.

macOS

Custom macOS malware of Chinese hackers ‘Storm Cloud’ exposed

Bill Toulas

BleepingComputer

By Bill Toulas

March 22, 2022
04:49 PM

"Researchers have discovered a previously unknown macOS malware variant called GIMMICK, which is believed to be a custom tool used by a Chinese espionage threat actor known as 'Storm Cloud.'

> The malware was discovered by researchers at Volexity, who retrieved it from the RAM of a MacBook Pro running macOS 11.6 (Big Sur), which was compromised in a late 2021 cyberespionage campaign.

The exposure of custom malware used by sophisticated threat actors isn't common. Those groups operate very carefully, leaving a minimal trace and wiping remnants of the malware to keep their tools secret and evade IoC-based detection.

However, sometimes even the most advanced cybercriminals slip up and leave behind malware that can then be dissected by security researchers, as is the case with GIMMICK.

Dissecting the GIMMICK malware

GIMMICK is a multi-platform malware written in Objective C (macOS), or .NET and Delphi (Windows).

All variants use the same C2 architecture, file paths, behavioral patterns, and heavily abuse Google Drive services, so it's tracked as one tool despite the code differences.

GIMMICK is launched either directly by the user or as a daemon on the system and installs itself as a binary file named 'PLIST,' usually mimicking a heavily used application on the target machine.

Next, the malware initializes by performing several data decoding steps and eventually establishes a session to Google Drive, using hard-coded OAuth2 credentials.

**JSON Object containing the Google Drive credentials**
*(Volexity)*

After initialization, GIMMICK loads three malware components, namely DriveManager, FileManager, and GCDTimerManager, with the first being responsible for the below actions:

Manage the Google Drive and proxy sessions.
Maintain a local map of the Google Drive directory hierarchy in memory.
Manage locks for synchronizing tasks on the Google Drive session.
Handle download and upload tasks to and from the Google Drive session.

Each infected system’s hardware UUID is used as an identifier for the Google Drive directory that corresponds to it.

FileManager manages the local directory where C2 information and command tasks are stored, and the GCDTimerManager undertakes the management of the various GCD objects.

The commands supported by GIMMICK, which arrive on the system in AES-encrypted form, are the following:

Transmit base system information
Upload file to C2
Download file to client
Execute a shell command and write output to C2
Set client Google Drive timer interval
Set client timer interval for client info heartbeat message
Overwrite client work period information

“Due to the asynchronous nature of the malware operation, command execution requires a staged approach. Though the individual steps occur asynchronously, every command follows the same.” explains Volexity in its technical report

It is this asynchronous design that makes GIMMICK so robust and at the same time complex, so porting it on a new platform, macOS in this case, is a feat that underscores Storm Cloud’s skills and resources.

Volexity notes that the possibility of Storm Cloud buying the malware from a third-party developer and using it exclusively shouldn't be ruled out.

Protect against GIMMICK

Apple has also rolled out new protections to all supported macOS versions with new signatures for XProtect and MRT, which should be able to block and remove the malware since March 17, 2022. To ensure you have received these signatures, follow Apple's support page instructions.

Hackers exploit new WPS Office flaw to breach betting firms

Google: Chinese state hackers target Ukraine’s government

Microsoft: Ukraine hit with FoxBlade malware hours before invasion

Chinese cyberspies target govts with their ‘most advanced’ backdoor

FritzFrog botnet grows 10x, hits healthcare, edu, and govt systems

Thursday, March 24, 2022

ORWELLIAN REAL ID COMPLIANT REPLACEMENT: All Your Information in One Swipe at Security Checkpoints

Intro: You can consent to provide it with Face ID or Touch ID, without having to unlock their iPhone or show their ID card.

Take photos of the front and back of your license or ID, and you will “be prompted to complete a series of facial and head movements during the setup process,”

Arizona is the first state to put its driver’s license and state ID in Apple’s Wallet

More states will follow soon

By Jay Peters @jaypeters Mar 23, 2022, 12:03pm EDT

The Verge

"The first state to officially roll out Apple’s digital driver’s license and state ID is Arizona, the iPhone maker announced Wednesday. “Starting today, Arizonans can add their driver’s license or state ID to Wallet, and tap their iPhone or Apple Watch to seamlessly and securely present it at select TSA security checkpoints in Phoenix Sky Harbor International Airport,” Apple announced in a press release.

If you live in Arizona and want to add your license or ID to Wallet, you can do so right from the Wallet app. Take photos of the front and back of your license or ID, and you will “be prompted to complete a series of facial and head movements during the setup process,” according to Apple. Apple is not the one approving requests to add licenses or IDs to Wallet — instead, the company says Arizona will be responsible for that.

If you want to show your digital license or ID to TSA at the airport, here’s what the process looks like, according to Apple:

On their iPhone or Apple Watch, users will be shown which information is requested by the TSA, and can consent to provide it with Face ID or Touch ID, without having to unlock their iPhone or show their ID card. All information is shared digitally, so users do not need to show or hand over their device to present their ID.

According to Apple, during this process, “the TSA will also capture a picture of the traveler for verification purposes.” We’ve asked the TSA for details on where those photos might be stored, how they can ensure they stay private, and if the photos will be deleted after a certain period of time; when we asked Apple, it said it passed our questions to the TSA.

> Initially, only travelers using PSA PreCheck at the Phoenix airport will be able to use the feature, according to a TSA press release. And passengers “must continue” to still carry their physical driver’s license or ID and have it available if needed.

Real ID-compliant identification cards will be supported by Wallet, Apple spokesperson Heather Norton tells The Verge.

You’ll need one of those to fly domestically beginning in May 2023 (though that deadline has already been pushed a couple of times). . .The digital licenses / IDs are right now only available “for use in select states at select TSA checkpoints within Phoenix Sky Harbor International Airport (PHX),” according to Apple’s fine print. Digital hotel keys are available at certain Hyatt hotels. You can add a COVID-19 vaccine card to Wallet only if your healthcare provider or health authority supports the feature. . .

Apple says additional states will offer the driver’s license and ID feature “soon,” including Colorado, Connecticut, Georgia, Hawaii, Iowa, Kentucky, Maryland, Mississippi, Ohio, Oklahoma, the territory of Puerto Rico, and Utah."

Wednesday, March 23, 2022

Council Study Session - 3/21/2022

Report: Lessons from History + Wars Built on Lies and Deception

Intro: The author a new book declares that his purpose is “to explain what went wrong and how three consecutive presidents and their administrations failed to tell the truth.”

It recounts how seemingly every positive thing that US officials said in public concerning the course of that ill-starred conflict—about the supposed strides being made by the Afghan army and the maturation of the national government, about battlefield progress against the Taliban insurgency and headway in eradicating opium poppy production—was misleading happy talk that masked ceaseless policy errors and failures, . .

The #1 New York Times bestselling investigative story of how three successive presidents and their military commanders deceived the public year after year - In reality, as this book highlights, the problem started 20 years ago when American leaders put a smiling face on failure and called it success.

Mission Creep

What are the lessons of the United States’ 20-year war in Afghanistan?

By Charlie Savage

March 21, 2022

"Now that we know how the United States’ generation-long misadventure in Afghanistan ended, one Army officer’s experience in 2005, recounted in Craig Whitlock’s excellent and depressing The Afghanistan Papers: A Secret History of the War, takes on an elevated salience.

Books in Review

The Afghanistan Papers: A Secret History of the War

By Craig Whitlock

About four years into the conflict, Maj. Charles Abeyawardena, a strategic planner based at the Army’s Center for Lessons Learned at Fort Leavenworth, Kan., flew to the war zone to study the ill-fated effort to create a modern Afghan army. The task was already proving to be difficult, but the US government remained hopeful—as it would, officially at least, for another 15 years—that the nascent Afghan security forces would eventually become capable of keeping the country stable on their own, enabling the United States to withdraw with honor.

Taliban fighters atop a Humvee vehicle celebrate the departure of US troops this week.

Abeyawardena’s mandate was to interview the Americans and senior Afghan officials involved in the work of recruiting, training, and deploying the Afghan army. But he took it upon himself to talk as well to some rank-and-file Afghan soldiers. When Abeyawardena asked them why they’d enlisted, the answers they gave were not unlike the reasons American troops typically cited: They were seeking a solid paycheck, or they wanted to serve their country, or they were taking advantage of a chance to do something new and different. Yet when Abeyawardena probed further, Whitlock writes, the responses foreshadowed serious trouble:2

When he followed up by asking whether they would stay in the Afghan army after the United States left, the answers startled him. “The majority, almost everyone I talked to, said, ‘No,’” Abeyawardena said in an Army oral-history interview. “They were going to go back and grow opium or marijuana or something like that, because that’s where the money is. That threw me for a complete loop.”3

A decade and a half of grinding counterinsurgency warfare and expensive nation-building efforts later, President Donald Trump made a deal with the Taliban under which the United States would withdraw its forces in 2021. In return, the Taliban promised not to let Afghanistan once again become a safe haven for Al Qaeda or other terrorist groups. They also promised that, in the interim, they would stop attacking American troops and engage in peace talks with the Afghan government. Then, after Trump’s successor, Joe Biden, made it clear that he would follow through on most of the major aspects of the deal, setting the date for planned withdrawal only four months later than initially agreed on, the Afghan national army swiftly abandoned the battlefield, permitting the Taliban to take the capital, Kabul, essentially without firing a further shot.

Amid the ensuing chaotic effort to evacuate Westerners who had ignored earlier warnings to get out and Afghans who had helped the American-led NATO effort, officials at the Pentagon and the White House offered a rather sheepish excuse for the evident lack of planning and preparation for this endgame: The intelligence assessment had been that the Afghan government would likely endure for a much longer period after the withdrawal, leaving more time to get people out of harm’s way. If so, the lesson arising from Maj. Abeyawardena’s research had not been learned: The Afghan army risked becoming a Potemkin organization whose function was as much about absorbing American cash as providing an enduring security foundation for that country’s future.5

The same can be said about the hollow government the army was supposed to be propping. Even the puppet regime that the Soviet Union left behind in 1989, after Moscow ended its own occupation of Afghanistan, had managed to limp along for another three years before collapsing. Yet with twice the time spent trying to create stability in Afghanistan—and at the cost of more than $2 trillion, more than 7,000 dead American and allied troops and contractors, and more than 69,000 dead Afghan troops and police, along with more than 46,000 Afghan civilian casualties—the United States found that the Afghan state and armed forces it had created were not even capable of enduring long enough for the last American troops to finish getting out. . ."

GO HERE for more details >> https://www.thenation.com/article/world/craig-whitlock-afghanistan-papers/

MesaZona > Table of Contents : Here's The Menu. Enjoy