On 11 March, 2011, a massive magnitude 9.1 earthquake shook the west coast of Japan, with the epicenter located at a shallow depth of 32 km, a mere 72 km off the coast of Oshika Peninsula, of the Touhoku region. Following this earthquake, an equally massive tsunami made its way towards Japan’s eastern shores, flooding many kilometers inland. Over 20,000 people were killed by the tsunami and earthquake, thousands of whom were dragged into the ocean when the tsunami retreated. This Touhoku earthquake was the most devastating in Japan’s history, both in human and economic cost, but also in the effect it had on one of Japan’s nuclear power plants: the six-unit Fukushima Daiichi plant.

In the subsequent Investigation Commission report by the Japanese Diet, a lack of safety culture at the plant’s owner (TEPCO) was noted, along with significant corruption and poor emergency preparation, all of which resulted in the preventable meltdown of three of the plant’s reactors and a botched evacuation. Although afterwards TEPCO was nationalized, and a new nuclear regulatory body established, this still left Japan with the daunting task of cleaning up the damaged Fukushima Daiichi nuclear plant.

Removal of the damaged fuel rods is the biggest priority, as this will take care of the main radiation hazard. This year TEPCO has begun work on removing the damaged fuel inside the cores, the outcome of which will set the pace for the rest of the clean-up.

Safety Cheese Holes

Overview of a GE reactor as at Fukushima Daiichi. (Credit: WNA)
The Fukushima Daiichi nuclear power plant was built between 1967 and 1979, with the first unit coming online in 1970 and the third unit by 1975. It features three generations of General Electric-designed boiling water reactors of a 1960s (Generation II) design. It features what is known as a Mark I containment structure. At the time of the earthquake only units 1, 2 and 3 were active, with the quake triggering safeties which shut down these reactors as designed. The quake itself did not cause significant damage to the reactors, but three TEPCO employees at the Fukushima Daiichi and Daini plants died as a result of the earthquake.

A mere 41 minutes later the first tsunami hit, followed by a second tsunami 8 minutes later, leading to the events of the Fukushima Daiichi accident. The too low seawall did not contain the tsunami, allowing water to submerge the land behind it. This damaged the seawater pumps for the main and auxiliary condenser circuits, while also flooding the turbine hall basements containing the emergency diesel generators and electrical switching gear. The backup batteries for units 1 and 2 also got taken out in the flooding, disabling instrumentation, control and lighting.

One hour after the emergency shutdown of units 1 through 3, they were still producing about 1.5% of their nominal thermal power. With no way to shed the heat externally, the hot steam, and eventually hydrogen from hot steam interacting with the zirconium-alloy fuel rod cladding, was diverted into the dry primary containment and then the wetwell, with the Emergency Core Cooling System (ECCS) injecting replacement water. This kept the cores mostly intact over the course of three days, with seawater eventually injected externally, though the fuel rods would eventually melt due to dropping core water levels, before solidifying inside the reactor pressure vessel (RPV) as well as on the concrete below it.

It was attempted to vent the steam pressure in unit 1, but this resulted in the hydrogen-rich air to flow into the service floor, where it found an ignition source and blew off the roof. To prevent this with unit 2, a blow-out panel was opened, but unit 3 suffered a similar hydrogen explosion on the service floor, with part of the hydrogen also making it into the defueled unit 4 via ducts and similarly blowing off its roof.

The hydrogen issue was later resolved by injecting nitrogen into the RPVs of units 1 through 3, along with external cooling and power being supplied to the reactors. This stabilized the three crippled reactors to the point where clean-up could be considered after the decay of the short-lived isotopes present in the released air. These isotopes consisted of mostly iodine-131, with a half-life of 8 days, but also cesium-137, with a half-life of 30 years, and a number of other isotopes.

Nuclear Pick-up Sticks

Before the hydrogen explosions ripped out the service floors and the building roofs, the clean-up would probably have been significantly easier. Now it seemed that the first tasks would consist out of service floor clean-up of tangled metal and creating temporary roofs to keep the elements out and any radioactive particles inside. These roof covers are fitted with cameras as well as radiation and hydrogen sensors. They also provide the means for a crane to remove fuel rods from the spent fuel pools at the top of the reactors, as most of the original cranes were destroyed in the hydrogen explosions.
Phot of the damaged unit 1 of Fukushima Daiichi and a schematic overview of the status. (Credit: TEPCO)
This meant that the next task is to remove all spent fuel from these spent fuel pools, with the status being tracked on the TEPCO status page. As units 5 and 6 were undamaged, they are not part of these clean-up efforts and will be retained after clean-up and decommissioning of units 1-4 for training purposes.

Meanwhile, spent fuel rods were removed already from units 3 and 4. For unit 1, a cover still has to be constructed as has has been done for unit 3, while for the more intact unit 2 a fuel handling facility is being constructed on the side of the building. Currently a lot of the hang-up with unit 1 is the removal of debris on the service floor, without risking disturbing the debris too much, like a gigantic game of pick-up sticks. Within a few years, these last spent fuel rods can then be safely transported off-site for storage, reprocessing and the manufacturing of fresh reactor fuel. That’s projected to be 2026 for Unit 2 and 2028 for Unit 1.

This spent fuel removal stage will be followed by removing the remnants of the fuel rods from inside the RPVs, which is the trickiest part as the normal way to defuel these three boiling-water reactors was rendered impossible due to the hydrogen explosions and the melting of fuel rods into puddles of corium mostly outside of the RPVs. The mostly intact unit number 2 is the first target of this stage of the clean-up.
Estimated corium distribution in Fukushima Daiichi unit 1 through 3. (Credit: TEPCO)
To develop an appropriate approach, TEPCO relies heavily on exploration using robotic systems. These can explore the insides of the units, even in areas which are deemed unsafe for humans and can be made to fit into narrow tubes and vents to explore even the insides of the RPVs. This is how we have some idea of where the corium ended up, allowing for a plan to be formed for the extracting of this corium for disposal.

Detailed updates on the progress of the clean-up can be found as monthly reports, which also provide updates on any changes noted inside the damaged units. Currently the cores are completely stable, but there is the ongoing issue of ground- and rainwater making it into the buildings, which causes radioactive particles to be carried along into the soil. This is why groundwater at the site has been for years now been pumped up and treated with the ALPS radioactive isotope removal system. This leaves just water with some tritium, which after mixing with seawater is released into the ocean. The effective tritium release this way is lower than when the Fukushima Daiichi plant was operating.
TEPCO employees connect pipes that push the ‘Telesco’ robot into the containment of Unit 2 for core sample retrieval. (Credit: TEPCO)
In these reports we also get updates on the robotic exploration, but the most recent update here involves a telescoping robot nicknamed ‘Telesco’ (because it can extend by 22 meters) which is tasked with retrieving a corium sample of a few grams from the unit 2 reactor, in the area underneath the RPV where significant amounts of corium have collected. This can then be analyzed and any findings factored into the next steps, which would involve removing the tons of corium. This debris consists of the ceramic uranium fuel, the zirconium-alloy cladding, the RPV steel and the transuranics and minor actinides like plutonium, Cs-137 and Sr-90, making it radiologically quite ‘hot’.

Looking Ahead

Although the clean-up of Fukushima Daiichi may seem slow, with a projected completion date decades from now, the fact of the matter is that time is in our favor, as the issue of radiological contamination lessens with every passing day. Although the groundwater contamination is probably the issue that gets the most attention, courtesy of the highly visible storage tanks, this is now fully contained including with sea walls, and there is even an argument to be made that dilution of radioisotopes into the ocean would make it a non-issue.

Regardless of the current debate about radiological overreacting and safe background levels, most of the exclusion zone around the Fukushima Daiichi plant has already been reopened, with only some zones still marked as ‘problematic’, despite having background radiation levels that are no higher than the natural levels in other inhabited regions of the world. This is also the finding of the UNSCEAR in their 2020 status report (PDF), which finds levels of Cs-137 in marine foods having dropped already sharply by 2015, no radiation-related events in those evacuated or workers in the exclusion zone, and no observed effects on the local fauna and flora.

Along with the rather extreme top soil remediation measures that continue in the exclusion zone, it seems likely that within a few years this exclusion zone will be mostly lifted, and the stricken plant itself devoid of spent fuel rods, even as the gradual removal of the corium will have begun. First starting with small samples, then larger pieces, until all that will left inside units 1-3 will be some radioactive dust, clearing the way to demolish the buildings. But it’s a long road.

hackaday.com/2024/09/23/fukush…

noblogo.org/transit/camarillo-…

Transit

2024-09-23 13:00:57

Camarillo Brillo Sessions 9 (159)

Memorie controvoglia

(“L'unica via d'uscita è dentro”, Alice, Rizzoli Lizard, 2024.)

L’ ultimo libro scritto da un musicista che ho tentato di leggere è stato quello di Bono. Magari sarà un grande cantante, ma scrive come un quindicenne allupato: francamente è stato impossibile arrivare in fondo, come a dire che non è detto che se sei una rockstar tu sappia scrivere qualcosa di più lungo del testo di una canzone. Le biografie, o quello che sono (in realtà, spesso, i ricordi sono la parte minore), vanno maneggiate con cura, meglio se assistiti da qualcuno che scrive per mestiere. Almeno, forse, ci risparmiamo punti esclamativi a vanvera.

Il sottotitolo del libro di Carla Bissi è “Un’autobiografia controvoglia”, a rimarcare un tratto distintivo e continuo che si trova in queste pagine: il desiderio di non sottostare alle “logiche” del mercato discografico, la voglia di trovare una via personale per la serenità, lo studio della meditazione e della ricerca spirituale. Da appassionato della sua musica, da ammiratore di un percorso musicale profondo e fuori dagli schemi usuali, all’annuncio di questa pubblicazione sono diventato curioso, desideroso di scoprire qualcosa di più su un’artista così meritevole ed altrettanto riservata.

E’ chiaro che ci si bea anche dei pettegolezzi, a volte: a maggior ragione se una persona è così schiva, ma anche intelligente e di certo non mi sono illuso di trovarne. In effetti la scrittura è lineare, semplice, mai appesantita da uno sfoggio intellettuale che a volte gli artisti amano. Sempre un bene, anche se, a volte, non avrei disdegnato qualche vocabolo un attimo più ricercato (e basta con i punti esclamativi, e due.)

Non essendo una biografia in senso stretto, ma più una raccolta di momenti, perlopiù musicali, la narrazione non riserva grandissime sorprese, né tantomeno vi sono fatti (a parte nei primi capitoli, dedicati alla giovinezza) eclatanti. E’ bello trovare, comunque, molte cose legate alla ricerca musicale e spirituale della Bissi, sempre con la presenza, evocata moltissime volte, di Franco Battiato.

Francesco Messina, oltre a curare la grafica e l’apparato iconografico (poche, però, le foto non viste già), si ritaglia qualche spazio più tecnico, dove si parla dei musicisti e delle tecniche di registrazione, o del modo di approcciarsi al percorso musicale della sua compagna. Nota di “demerito” per entrambi: scrivere pochissimo dei grandiosi musicisti con cui hanno realizzato tournè ed album: peccato davvero. Quasi nessuno in Italia può vantare collaborazioni così importanti (e neanche una riga su Mick Karn, questo sì imperdonabile.)

Non scriverò di una delusione, perciò, ma nemmeno di un’opera che soddisfa appieno le mie aspettative: forse è qui il guaio, aspettarsi ciò che si desidera. Poteva volare ben più alto, questo volume. Avrebbe potuto essere davvero essenziale per far scoprire un’artista che ha avuto poche eguali nel panorama della musica italiana: poteva essere più approfondito, davvero.

Resta un’opera forse davvero controvoglia e quando si fanno le cose senza una convinzione perlomeno doverosa, probabilmente questo è il risultato. Mi consolo con le vaghissime promesse di un live e di un nuovo disco di Francesco Messina. Si spera fatti con voglia, a questo punto.

#Musica #Music #UnoMusica #Opinioni #Libri #Books

Mastodon: @alda7069@mastodon.unoX: @[url=https://mastodon.uno/users/alda7069]A&D :antifa:[/url] Telegram: t.me/transitblogFriendica: @danmatt@poliverso.org

Gli scritti sono tutelati da “Creative Commons” (qui)

Tutte le opinioni qui riportate sono da considerarsi personali. Per eventuali problemi riscontrati con i testi, si prega di scrivere a: corubomatt@gmail.com

Transit

Il blog di Alessandra Corubolo & Daniele Mattioli. On line -in varie forme- dal 2005.

^Telegram

slowforward.net/2024/09/23/elr…

slowforward

2024-09-23 12:00:52

mtmteatro.it/delle-ragioni-e-d…
_

slowforward.net/2024/09/23/elr…

#000000 #audio #cambioDiParadigma #DelleRagioniEDeiModi #ELR #ELREsisteLaRicerca #EsisteLaRicerca #ffffff #GiulioMarzaioli #MTM #MTMManifattureTeatraliMilanesi #poetiche

nuovo post sul blog ‘esiste la ricerca’: ragioni e modi della scrittura, giulio marzaioli

Delle ragioni e dei modi. Giulio Marzaioli (su ELR – Esiste la ricerca)

^slowforward

slowforward.net/2024/09/23/esc…

slowforward

2024-09-23 11:28:02

Mariangela Guatteri, Casino Conolly
edizioni del verri – Milano
Progetto grafico: Valerio Anceschi, Giovanni Anceschi
ISBN 9788898514854

Per ORDINARE il libro: info@ilverri.it

scheda editoriale:

Casino Conolly è un’architettura di architetture. Il titolo di ogni capitolo (“Villino Svizzero”, “Sezione Lombroso”, “Colonia Scuola Marro”, ecc., come del resto “Casino Conolly’” che dà il titolo al libro) si riferisce ad alcuni degli edifici presenti nell’ex area manicomiale di Reggio Emilia, una sorta di città nella città la cui origine risale alla seconda metà del XII secolo.

Non è però un libro che documenta la storia del complesso manicomiale.
Nella scrittura Mariangela Guatteri riesce a recuperare il rapporto tra libertà e coazione che quel luogo ha rappresentato. Ricorre alla tecnica del montaggio utilizzando prelievi testuali anche non direttamente riferiti al frenocomio – da Qohélet, Martin Buber, Foucault, Flaubert, Daumal, Ballard, Zukofsky, a dialoghi tratti da film, a indicazioni contro la repressione prese da manuali, ecc. Non indica le fonti, ma grazie alla costruzione segreta del linguaggio crea continui salti, sussulti, vuoti, fraintendimenti in una prosa in cui ogni elemento diventa essenziale.

Straordinarie le nove “Tavole sinottiche”, che accompagnano il testo, vere e proprie opere di poesia visiva.

Indice e ulteriori dettagli e informazioni:

slowforward.net/2024/09/23/esc…

#000000 #cambioDiParadigma #CasinoConolly #edizioniDelVerri #ilVerri #MariangelaGuatteri #scritturaDiRicerca #scrittureDiRicerca

Casino Conolly, il verri edizioni, 2024

Esce, nella collana rossa scrittura e invenzione, Casino Conolly, di Mariangela Guatteri. Mariangela Guatteri, Casino Conolly© 2024 edizioni del verri – MilanoProgetto grafico: Valerio Anceschi, Gi…

^{Mariangela Guatteri}

slowforward.net/2024/09/23/su-…

slowforward

2024-09-23 09:25:20

Sul blog Poème de Terre esce oggi il primo numero di

una nuova rubrica, “Una fastidiosa assenza”, che si proporrà come progetto di divulgazione tramite una serie di ricognizioni. L’idea è di mappare le pubblicazioni acquistabili di autori “nascosti”. Questo primo numero è dedicato a Corrado Costa, inaugurando di fatto anche la sezione “Progetto Costa” che trovate sul sito. Buona lettura!

Una fastidiosa assenza [#1], ovvero dove reperire le pubblicazioni di Corrado Costa

poemedeterre.wordpress.com/202…

slowforward.net/2024/09/23/su-…

#000000 #CorradoCosta #Costa #fuoricatalogo #PdT #PoèmeDeTerre #scritturaDiRicerca #scrittureDiRicerca

Una fastidiosa assenza [#1], ovvero dove reperire le pubblicazioni di Corrado Costa

Prima serie di una rubrica di divulgazione. In questo articolo, una ricognizione delle opere disponibili e acquistabili di Corrado Costa.

^{Poème de Terre}

As the Commodore 64 ages, it seems to be taking on a second life. Case in point: Vision BASIC is a customized, special version of the BASIC programming language with a ton of features to enable Commodore 64 programs to be written more easily and with all sorts of optimizations. We’ve tested out both the original 1.0 version of Vision BASIC, and now with version 1.1 being released there are a whole host of tweaks and updates to make the experience even better!

One of the only limitation of Vision BASIC is the requirement for expanded RAM. It will not run on an unexpanded C64 — but the compiled programs will, so you can easily distribute software made using Vision on any C64. A feature introduced in version 1.1 is support for GeoRAM, a different RAM expansion cartridge, and modern versions of GeoRAM like the NeoRAM which has battery-backed RAM. This allows almost instantaneous booting into the Vision BASIC development environment.

Some of the standout features include a doubling of compilation speed, which is huge for large programs that take up many REU segments in source form. There are new commands, including ALLMOBS for setting up all sprites with a single command; POLL to set up which joystick port is in use; CATCH to wait for a particular scanline; and plenty more! Many existing commands have been improved as well. As in the original version of Vision BASIC, you can freely mix 6510 assembly and BASIC wherever you want. You can use the built-in commands for bitmaps, including panning, collision detection, etc., or you can handle it in assembly if you want! And of course, it comes with a full manual — yes, a real, printed book!

One of the nice features of Vision BASIC is the customization of the development environment. On the first run, after agreeing to the software terms, you enter your name and it gets saved to the Vision BASIC disk. Then, every time you start the software up, it greets you by name! You can also set up a custom colour scheme, which also gets saved. It’s a very pleasant environment to work in. Depending on how much additional RAM you have, you can hold multiple program segments in different RAM banks. For example, you could have all your source code in one bank, all your bitmaps and sprites in another, and your SID tunes in yet another. The compiler handles all this for you when you go to compile the program to disk, so it’s easy to keep large programs organized and easy to follow.

If you’ve always wanted to write a game or application for the C64 but just didn’t know how to get started, or you felt daunted at having to learn assembly to do sprites and music, Vision BASIC is a great option. You will be blown away at the number of commands available, and as you become more experienced you can start to sprinkle in assembly to optimize certain parts of your code if desired.

hackaday.com/2024/09/23/new-re…

Gli sviluppatori dei popolari infostealer hanno informato i clienti di aver imparato a bypassare la funzionalità di crittografia di Chrome e a raccogliere cookie di autenticazione precedentemente crittografati.

security.googleblog.com/2024/0…

Una nuova funzionalità di sicurezza è stata aggiunta a Chrome 127 a luglio ed è progettata per crittografare i dati associati al processo del browser. Tali dati possono essere decrittografati solo utilizzando un account amministratore.

Negli ultimi due mesi gli sviluppatori di malware hanno cercato attivamente modi per aggirare la barriera. Alcuni hanno inserito codice dannoso direttamente nel processo Chrome o hanno utilizzato vulnerabilità di escalation dei privilegi per ottenere l’accesso ai diritti di amministratore. Ora gli infostealer come Lumar, Lumma, Meduza, Vidar e WhiteSnake hanno nuove capacità per effettuare questo bypass.

Google aveva capito che la funzionalità di crittografia associata all’app non era una panacea e che gli aggressori alla fine avrebbero trovato il modo di aggirarla. Tuttavia, l’azienda ha deciso di implementarlo perché sapeva che i tentativi di aggirarlo avrebbero reso le azioni dei ladri di informazioni più visibili ai software antivirus. Come spiega Google, “Poiché App-Bound funziona con privilegi di sistema, gli hacker devono fare molto di più che semplicemente indurre un utente a eseguire un’app dannosa. Il malware deve ora ottenere i diritti di sistema o iniettare codice in Chrome, rendendo le sue azioni più sospette per il software antivirus e con maggiori probabilità di essere rilevato.”

Nell’ultimo mese, gli infostealer sono stati sempre più utilizzati per hackerare e distribuire ransomware, costringendo il team di sicurezza di Google a prestare maggiore attenzione alla protezione dei dati nel browser. Sebbene la crittografia associata all’app attualmente funzioni solo per i cookie, la società prevede di espanderla a password, informazioni di pagamento e altri token di autenticazione archiviati in Chrome.

Si prevede che la nuova funzionalità di sicurezza sarà supportata su circa la metà di tutti i dispositivi Chrome desktop e sarà pienamente coerente con l’eliminazione graduale dei cookie di terze parti in Chrome.

L'articolo La Guerra Silenziosa dei Dati! Gli infostealer contro Chrome: chi vincerà la battaglia? proviene da il blog della sicurezza informatica.

Introduction

We sometimes come across modified applications when analyzing suspicious files. These are created in response to user requests for more customization options within the app or for new features that the official versions don’t have. Unfortunately, it’s not uncommon for popular mods to contain malware. This often happens because they’re distributed on unofficial websites that don’t have any moderation. For example, last year we found popular WhatsApp mods infected with CanesSpy and distributed this way. Before that, we found ads for WhatsApp mods infected with the Triada Trojan dropper in the popular Snaptube application. However, even official app stores can be infiltrated by infected apps. In 2019, we discovered the Necro dropper hidden within CamScanner, a widely used document scanning and processing app available on Google Play. At the time of the malware discovery, this app had been downloaded to more than 100 million devices worldwide. Sadly, history has repeated itself, and this time the Trojan authors exploited both distribution vectors: the new version of the multi-stage Necro loader infected both apps in Google Play and modified versions of Spotify, Minecraft, and other popular applications in unofficial sources.

Our conclusions in a nutshell:

• The new version of the Necro Trojan has infected various popular applications, including game mods, with some of them being available on Google Play at the time of writing this report. The combined audience of the latter exceeds 11 million Android devices.
• The new version of the Necro loader, like most payloads it loads, has begun to use obfuscation to evade detection.
• The loader, embedded in some applications, used steganography techniques to hide payloads.
• The downloaded payloads, among other things, could display ads in invisible windows and interact with them, download and execute arbitrary DEX files, install applications it downloaded, open arbitrary links in invisible WebView windows and execute any JavaScript code in those, run a tunnel through the victim’s device, and potentially subscribe to paid services.

How Necro spreads

Necro loader inside a Spotify mod

In late August 2024, our attention was drawn to a Spotify mod called Spotify Plus, version 18.9.40.5. At the time of writing this, the mod could be downloaded from spotiplus[.]xyz and several related sites that linked to it. The original website claimed that the mod was certified, safe, and contained numerous additional features not found in the official app. We decided to verify the claims about the application’s safety by downloading the latest version from this website (acb7a06803e6de85986ac49e9c9f69f1) and analyzing it.

Site containing the Spotify mod

The mod implements a custom Application subclass that initializes an SDK named adsrun in its
onCreate method. This SDK is intended for integrating several advertising modules into the application: among other things, it initializes a module named Coral SDK. Upon activation, Coral SDK transmits a POST request to a designated command-and-control server. This request contains encrypted JSON data, specifically detailing the compromised device and the application hosting the module. The encryption method employed is a substitution cipher, where the substitution values are generated using a standard Java pseudo-random number generator seeded with a predefined constant. See an example of data sent by the module below.{
"appId": "REDACTED",
"channelId": "com.spoti.plus",
"androidId": "REDACTED",
"isAdb": false,
"isProxy": false,
"isSimulator": false,
"isDebug": false,
"localShellVer": 0,
"sdkVer": 116,
"appVersion": "1020000005",
"appVersionName": "18.9.40.5"
}
The C2 server returns a JSON response with an error code, encrypted with the same method. A value of 0 indicates successful execution. In this case, the response from the C2 will also contain an array of one object with a link to download the image in PNG format and associated metadata: name, MD5, version, and so on. Intriguingly, the downloaded file is termed “shellP”, suggesting it might be a condensed form of “shellPlugin”.
{
"code": 0,
"result": [{
"md5": "F338384C5B4BC7D55681A3532273B4EB",
"name": "shellP",
"sdkver": 100,
"url": "hxxps://adoss.spinsok[.]com/plugin/shellP_100.png.png"
}
]
}
Next, the module verifies the integrity of the downloaded image by calculating its MD5 hash and comparing it to the value received from the server. A payload is hidden in this image using steganography, which the module must extract and execute in the next step.

Coral SDK uses a very simple steganographic algorithm. If the MD5 check is successful, it extracts the contents of the PNG file — the pixel values in the ARGB channels — using standard Android tools. Then the
getPixel method returns a value whose least significant byte contains the blue channel of the image, and processing begins in the code.

Steganographic algorithm for payload extraction

If we consider the blue channel of the image as a byte array of dimension 1, then the first four bytes of the image are the size of the encoded payload in Little Endian format (from the least significant byte to the most significant). Next, the payload of the specified size is recorded: this is a JAR file encoded with Base64, which is loaded after decoding via DexClassLoader. Coral SDK loads the
sdk.fkgh.mvp.SdkEntry class in a JAR file using the native library libcoral.so. This library has been obfuscated using the OLLVM tool. The starting point, or entry point, for execution within the loaded class is the run method.

Starting the payload

Therefore, the security claims made about the application on the mod website can be considered false.

Popular applications in Google Play are infected with Necro

Having searched for the loader in our telemetry, we found other apps infected with Necro, including those available in Google Play at the time of writing this report. Their combined audience numbered more than 11 million Android devices.

Wuta Camera app in Google Play

Our first find is the Wuta Camera app. Judging by its page in Google Play, it was downloaded at least 10 million times. According to our data, the Necro loader has been embedded in it starting from version 6.3.2.148. The latest version of the app at the time of collecting information, 6.3.6.148 (1cab7668817f6401eb094a6c8488a90c), which was available on Google Play, also had the Necro loader. We reported the presence of malicious code to Google Play, after which the loader was removed from the app in version 6.3.7.138.

Malicious loader in Wuta Camera

The second infected app we found was Max Browser.

Max Browser app in Google Play

This browser, according to Google Play, has been installed more than a million times and, starting with version 1.2.0, also contained the Necro loader. After we reported it, Google took down the infected app from their store.

Necro Trojan within Max Browser

WhatsApp mods with the Necro loader

We also found WhatsApp mods containing the Necro loader (0898d1a6232699c7ee03dd5e58727ede) in unofficial sources. The infected application is distributed under the package name
com.leapzip.animatedstickers.maker.android. Interestingly, there’s a legitimate app on Google Play with the exact same package name that isn’t a WhatsApp mod, but instead offers a collection of stickers for the messaging app.
The loader contained within the ad module in these applications functions somewhat differently from the sample described above. For instance, the code isn’t obfuscated at all but is protected by the SecAPK code protector. Additionally, the application uses Google’s Firebase Remote Config cloud service as a C2, storing information about files that need to be downloaded and executed.

Running the payload

While examining this loader, we discovered an interesting quirk: the malicious code within it has an 84% or 90% chance of execution. Initially, a random number between 0 and 99 is generated. Subsequently, based on the application package name, a threshold for malware execution is selected: the generated number must exceed either 9 or 15 for the loader to launch. If the number meets this criterion, a corresponding flag inhibiting loader operation is set to
false, and the malicious functionality is executed.

The malicious functionality will be executed with a predetermined probability

Intermediate payloads downloaded by this loader are not pre-encoded. The Trojan receives both the entry point information for the downloaded file and the download link from its C2 server. According to our data, one of the payloads (37404ff6ac229486a1de4b526dd9d9b6) bore resemblance to a loader found in a modified version of Spotify, albeit with minor variations.

• The next-stage payload (shellPlugin) is loaded without the aid of native code.
  
  Loading shellPlugin
• A different path is used for the POST request to the command-and-control server to retrieve shellPlugin information.
• Instead of using the steganographic algorithm, shellPlugin is decoded with Base64.

Other infected applications

This is not an exhaustive list of our findings. In addition to Spotify and WhatsApp mods, as well as apps in Google Play, we found infected game mods, including the following:

• Minecraft;
• Stumble Guys;
• Car Parking Multiplayer;
• Melon Sandbox.

Given that various apps from multiple sources, including official ones, were found to be infected, we believe that the developers used an untrusted solution for ad integration. This led to a malicious loader appearing in the apps. Our security solutions detect it with the following verdicts:

• HEUR:Trojan-Downloader.AndroidOS.Necro.f;
• HEUR:Trojan-Downloader.AndroidOS.Necro.h.

The Necro lifecycle in the wild: how the payload works

During our research, we managed to obtain several samples of payloads that the loader subsequently executes. This particular payload (fa217ca023cda4f063399107f20bd123) exhibits several interesting characteristics that allow us to classify it as belonging to the Necro family:

• The loader obtains download information from the C2 domain bearsplay[.]com. According to our telemetry data, the domain has been contacted by Necro-family malware.
• According to our data, the C2 domains that this file interacts with are also being used by the Necro and xHelper Trojans.
• The functionality of this new payload is very similar to the previous version of Necro (402b91c6621b8093d44464fc006e706a). The code of the Trojans is also similar, but in this new payload, the attackers have used an obfuscator to make it harder for security solutions to detect and analyze.
  
  Code snippet from the payload

  
  Similar code snippet from an old version of Necro

• The payload configuration structure is identical to that of older versions of Necro, including the one we previously discovered in the CamScanner app. The field names in the configuration match the corresponding fields in other Necro versions.

Based on this, we assert that both the examined payload and the original loader belong to the Necro family, which is familiar to us.

Payload structure

Now let’s move on to analyzing the payload. The second stage of the launch process reads a JSON-formatted configuration embedded within the code. An example of the configuration is provided below.
{
"hs":{
"server":"https://oad1.azhituo.com:9190",
"default":"https://oad1.azhituo.com:9190",
"dataevent":"https://oad1.azhituo.com:9190",
"PluginServer":"https://oad1.azhituo.com:9190"
},
"ps":{
"web":"canna",
"dsp":"hatch"
},
"mp":{
"PMask":"159"
},
"rp":{}
}
The
rp switch might contain malicious services to be launched, but it was empty in the samples we analyzed.

Code for launching the malicious service from the “rp” parameter

The
mp configuration switch holds parameters for the second-stage loader. It’s likely an abbreviation for “module parameters”.
The malicious functionality of Necro is implemented in additional modules that are downloaded from the C2 server. The malware authors frequently refer to these as “plugins” in the code. The
ps configuration field (likely an abbreviation for “plugin stop list”, meaning a list of prohibited plugins) is necessary to block these modules. The switches in this object are the names of plugins that are forbidden to load, and the values are alternative plugins that can be executed instead of the blocked ones if they were loaded. The download ban will be applied if the mp field has the PluginControl flag set to true. However, in the samples we were able to obtain, the restrictions did not apply. Additionally, the mp field may contain the PluginUpdateFeature flag, which controls plugin updates. If this flag is not present, plugins will be updated by default.
The
hs switch in the configuration stores a list of C2 addresses which the Trojan will talk to. Note that the malware logic does not require all addresses to match, although in the sample we examined, they were identical. The Trojan needs each address to perform the following tasks:

• server is used to update the PluginServer server address. To do this, the Trojan first sends a POST request containing the ID of the malicious implant and the name of the application package it’s embedded into. After that, the server can send a new PluginServer address. If the address cannot be updated, the value from the configuration set in the code is used.
  
  Updating PluginServer
• dataevent is used to store various events related to SDK activity.
• default is not used at this stage.
• PluginServer instructs the Trojan which plugins to download. Initially, a large amount of data is sent to this server. This includes information about the infected device (screen size, RAM, IMEI, IMSI, operating system version), information about the device’s environment (whether USB debugging mode and developer mode are enabled, if emulator artifacts are detected, etc.), details about the infected app, and so on.
  
  Sending collected data to PluginServer

In response, the server sends a list of plugins to download. These are downloaded asynchronously. To do this, the malware registers a broadcast receiver, and a separate thread, which is started for the download, sends a broadcast message when a plugin is ready to be downloaded. The plugins are differentiated by their name, which is also provided by the server.

Plugin encryption and loading

The plugin loading code supports, among other things, the ability to decrypt plugins using various methods. Additionally, payloads can be extracted beforehand using the steganographic algorithm described above if a file with a .png extension was downloaded. The decryption method is specified in the file URL. The following options are available:

• new/enc: decryption with a substitution cipher similar to that used for C2 communication
• ssd: plugin decryption using the DES algorithm
• ori: unencrypted plugin
  
  Selecting a decryption procedure

If no encryption method is specified, the plugin will be decrypted using a substitution cipher. The initial seed for this cipher will be the
PMask parameter (short for plugin mask), which is defined in the mp object within the loader configuration. Once decoded, plugins can be loaded in various ways.

Selecting a method to load the plugin

• dex: this method loads the plugin using DexClassLoader. The loader provides it with the application and plugin context, and additional plugin information.
  
  Loading the plugin in dex mode

  
  Launching the plugin entry point

• res: this method allows loading plugins with new resources. These resources can be used to download more plugins in the future.
  
  Loading new resources
• apk: a method that allows sending information about a downloaded file to a service via the IPC Binder mechanism. The name of the service is specified in the bird_vm_msg_service property. While it’s not definitively known which services Necro used, we can speculate that this function is used to install arbitrary APK files on the victim’s device.

Types of plugins

To better understand the attackers’ goals, we decided to thoroughly examine the payloads downloaded by the Trojan and, after analyzing telemetry data, found several Necro modules.

ed6c6924201bc779d45f35ccf2e463bb – Trojan.AndroidOS.Necro.g

This is a Necro module named “NProxy”. Its purpose is to create a tunnel through the victim’s device. When launched, the module connects to a server defined in the code.

Connecting to the server

This server acts as a C2 server that the Trojan talks to via an unidentified protocol implemented over TCP sockets. The C2 sends commands, which the Trojan processes. After processing, the Trojan forwards traffic from one endpoint to another through the victim’s device.

b3ba3749237793d2c06eaaf5263533f2 – Trojan.AndroidOS.Necro.i

We named this plugin “island”. When launched, the plugin generates a pseudo-random number, which it uses as an interval (in milliseconds) between displays of intrusive ads.

Trojan showing ads

ccde06a19ef586e0124b120db9bf802e – Trojan.AndroidOS.Necro.d

This plugin is named “web”, and it is one of the most popular Necro plugins, judging by our telemetry data. Its code contains a configuration similar in structure to the shellPlugin payload configuration in the previous stage. It’s interesting that the code for this plugin contains artifacts of older versions of Necro.

nicro is one such artifact from older Necro versions found within the plugin’s configuration

Depending on the value of the
CheckAbnormal flag, the plugin checks for the presence of a debugger in the execution environment and if a phone is connected via USB using ADB. If either condition is met, the Trojan clears the Logcat log to hide traces of its activity. Additionally, the plugin verifies if it has the permission to display windows on top of other applications. After all these checks, it launches a malicious task that runs once every two hours. When the malware starts, it sends a POST request containing details about the infected device to the server server. This is done to get the address of another server, named main URL, which the Trojan will communicate with frequently. If there’s an error when getting this address, the malware will fall back to using a server named default.

Data about the infected device sent to the C2

The received
main URL serves as the C2 server: it sends a list of pages to the Trojan, which the malware later opens in the background before processing the interactive elements contained on them. This functionality has a couple of interesting features. First, the Trojan code contains some artifacts that indicate it might be running with elevated privileges. However, Android processes with elevated privileges do not allow WebView by default. Privilege checks occur directly when creating an instance of the WebView factory: in privileged processes, it won’t be created. To circumvent this restriction, the Trojan creates an instance of the factory directly using reflection, thus bypassing all checks of the current process.

Instantiating a WebView factory directly

Secondly, the Trojan can download and run other executables, which are then used to replace links loaded with WebView. Combined with the functionality described above, this theoretically allows to do things like adding any additional information to the URL parameters of a replaced link, such as confirmation codes for paid subscriptions, as well as executing other arbitrary code when loading specific links.

36ab434c54cce25d301f2a6f55241205 – Trojan-Downloader.AndroidOS.Necro.b

This module is named “Happy SDK”. Its code partially combines the NProxy and web modules logic, as well as the functionality of the previous stage of the loader with a few minor differences:

• The code lacks the Trojan configuration, and backup C2 servers are located by default in the corresponding methods.
  
  Server address for updating the module is specified in the method code by default
• The code corresponding to the “web” plugin lacks the functionality to execute arbitrary code.
  Note that we have occasionally encountered this SDK under the name “Jar SDK”. Analysis has shown that Jar SDK is a new version of Happy SDK.
  
  Happy SDK artifacts in Jar SDK

We believe this is a different variant of Necro where the developers have opted for a non-modular architecture in the malicious SDK. This suggests that Necro is highly adaptable and can download different iterations of itself, perhaps to introduce new features.

874418d3d1a761875ebc0f60f9573746 – Trojan.AndroidOS.Necro.j

We dubbed this plugin “Cube SDK”. It’s pretty simple and acts as a helper: its only job is to load other plugins to handle ads in the background.

522d2e2adedc3eb11eb9c4b864ca0c7f – Trojan.AndroidOS.Necro.l

This plugin, in addition to NProxy’s functionality, has an entry point for another plugin we’ve named “Tap”. Judging by its code, the latter is still under development: it contains a lot of unused functionality for interacting with ad pages. Tap downloads arbitrary JavaScript code and a WebView interface from the C2 server, which are responsible for viewing ads in the background. Among other things, the plugin includes
com.leapzip.animatedstickers.maker.android as the package name of the infected app. This confirms that the WhatsApp mod loader described earlier, which uses Firebase Remote Config as a C2, also belongs to the Necro family.
These are all the payloads we were able to find during our research. For simplicity, we’ve combined all the processes described above into a single diagram illustrating all stages of the Necro Trojan.

Necro Trojan infection diagram

It’s worth noting that the creators of Necro may regularly release new plugins and distribute them among infected devices, selectively or otherwise, for example, depending on the information about the infected application.

Victims

According to Google Play data, the infected applications could have been downloaded over 11 million times. However, the actual number of infected devices might be much higher, considering that the Trojan also infiltrated modified versions of popular apps distributed through unofficial sources.

KSN data shows that our security solutions blocked over ten thousand Necro attacks worldwide between August 26th and September 15th. Russia, Brazil, and Vietnam experienced the highest number of attacks. The chart below illustrates the distribution of Necro attacks across countries and territories where users most frequently encountered the Trojan.

Necro attacks by country and territory, August 26 through September 15, 2024 (download)

Conclusion

The Necro Trojan has once again managed to attack tens of thousands of devices worldwide. This new version is a multi-stage loader that used steganography to hide the second-stage payload, a very rare technique for mobile malware, as well as obfuscation to evade detection. The modular architecture gives the Trojan’s creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application. To avoid being infected with this malware:

• If you have any of the aforementioned Google Play apps installed and the versions are infected, update the app to a version where the malicious code has been removed, or delete it.
• Download applications from official sources only. Applications installed from unofficial platforms may contain malicious functionality.
• Use a reliable security solution to protect your device from attempts to install malware.

Indicators of compromise

Applications infected with the loader

Loader C2 server
oad1.bearsplay[.]com
shellPlugin versions

Second-stage payload
37404ff6ac229486a1de4b526dd9d9b6

Second-stage payload C2 server
oad1.azhituo[.]com

Plugins (third stage)

Plugin C2 servers
47.88.246[.]111
174.129.61[.]221
47.88.245[.]162
47.88.190[.]200
47.88.3[.]73
hsa.govsred[.]buzz
justbigso[.]com
bear-ad.oss-us-west-1.aliyuncs[.]com

securelist.com/necro-trojan-is…

slowforward.net/2024/09/23/pod…

slowforward

2024-09-23 07:31:10

Sabato 21 settembre 2024 allo Studio Campo Boario si è tenuta la presentazione del libro della natura e del continuo, di Mario Corticelli (déclic, 2024). L’audio completo dell’incontro si può ascoltare qui su Pod al popolo. Il podcast irregolare, ennesimo fail again fail better dell’occidente postremo. Buon ascolto.

slowforward.net/wp-content/upl…
_

_

slowforward.net/2024/09/23/pod…

#000000 #audio #audioArchive #déclic #ffffff #LibroDellaNaturaEDelContinuo #MarioCorticelli #PAP #pap040 #pap040 #podAlPopolo #podcast #poesia #poesie_ #scritturaDiRicerca #scrittureDiRicerca

libro della natura e del continuo - declic edizioni

20 settembre 2024

^{déclic edizioni di carlo sperduti}

slowforward.net/2024/09/23/une…

slowforward

2024-09-23 06:31:02

click to enlarge

_

slowforward.net/2024/09/23/une…

#000000 #ARTGOCie #éditionsArtgo #ChristianTarting #experimentalWriting #ffffff #JeanMarieGleize #JulienBlaine #LénaïgCariou #LilianeGiraudon #littérature #MaximeHortensePascal

une aventure d’images et de mots, 28 sept., saint-etienne-les-orgues

  _  

^slowforward

Un articolo di Marcello Marzani

" Non voglio illudermi che ogni pregiudizio potrà essere sradicato finché anche nelle così dette alte sfere si portano i corni di corallo contro la jettatura, e non si pranza in tredici”.
Il medico bellunese che combattè il pregiudizio dei contadini nei confronti della medicina , suffragato dal continuo proliferare di personaggi ambigui che, vestendo i panni ora del veggente e ora del taumaturgo, non esitano a depredare con rapace noncuranza coloro che, piegati dalle avversità della vita, si mostrano più fragili e indifesi.

qdpnews.it/comuni/follina/latt…

@Storia
@Storiaweb

Di Alberto Micalizzi:

DEBITORI UNITI D'AMERICA

Circa un terzo dell’intero debito pubblico USA, pari a $7.000 miliardi, è in scadenza nella seconda metà del 2024. Si tratta di una montagna di titoli emessi circa 1 anno fa al 5% di rendimento, come alternativa all’emissione di titoli a lunga scadenza che avrebbero fatto impennare i tassi decennali e trentennali sui quali si basano i mutui ipotecari, portando sul lastrico le famiglie già piene di debito privato.

Ora il Tesoro deve rimborsare questo debito ed è costretto a rinnovarlo di nuovo a breve termine. Però, con un’inflazione ormai prossima al 2%, se pagasse un altro 5% di interessi regalerebbe letteralmente soldi al sistema, cosa che abbatterebbe il dollaro.

Ecco che allora si è mossa la banca centrale, e la settimana scorsa ha operato un mega-taglio dei tassi di 0,50% a cui ne seguiranno altri, che ha l’obiettivo di ridurre i tassi a breve e contenere il costo del gigantesco rifinanziamento in corso da parte del Tesoro americano. Ma ormai sono dentro alla spirale e difficilmente ne usciranno con mezzi convenzionali.

Nel caso non bastasse, il disavanzo di bilancio è arrivato a $266,8 miliardi (pari a circa il 7,6% del PIL) ed il deficit della bilancia commerciale viaggia ormai al ritmo di $75 miliardi al mese.
Quest’ultimo dato è forse ancora più eclatante: dal 1971 in poi – cioè dalla fine degli accordi di Bretton Woods - la bilancia commerciale è costantemente in deficit e gli USA sono alla perenne ricerca di qualcuno che finanzi il loro tenore di vita.

Finora il dollaro ha sorretto il debito americano. Nel momento in cui il giochino diventa insostenibile chi sarà disposto a farsi carico del grasso pachiderma che, peraltro, è poco propenso a ringraziare e gioca a fare il gendarme del mondo?

Sono convinto che la Cina, ad esempio, sia seduta sulla riva del fiume..

@ nuova versione 0.1.0-beta01 disponibile! Come promesso, una volta terminate tutte le feature più importanti e permesso agli utenti di riportare feedback degli errori riscontrati, si può passare alla fase beta del progetto!

Ci sono molte novità nelle ultime due release:
- possibilità di inviare feedback e segnalazioni dal pulsante "Segnala un problema" nella finestra di dialogo "Informazioni app",
- supporto al codice preformattato nel corpo e nel titolo dei post,
- possibilità di creare post con sondaggi (purtroppo supportate solo dalle istanze Mastodon, su Friendica c'è del lavoro lato back-end da fare ancora),
- finestra di dialogo "dettagli post" in cui è possibile vedere il testo sorgente, il protocollo/rete di origine del contenuto, numero di like/dislike (ove presenti), date di creazione e modifica e altri dati utili,
- revisione barra degli strumenti di formattazione nella schermata di creazione post,
- fix caricamento relazioni con altri utenti nelle liste di utenti (es. seguiti/seguaci o persone che hanno ricondiviso o aggiunto ai preferiti un post),
- miglioramento errori di caricamento iniziali (ad es. se il server va in timeout),
- ottimizzazione caricamento immagini dei post, questo dovrebbe rendere molto più scorrevoli tutti i feed! 😉,
- miglioramento gestione degli eventi di modifica/creazione/cancellazione post nelle liste, per cui l'utente dovrebbe avere un feedback più immediato dell'azione senza bisogno di ricaricare tutto il feed,
- refactoring e pulizia del codice (es. per centralizzare i controlli sulle feature supportate dall'istanza corrente oppure sulle azioni che è possibile effettuare).

Fatemi sapere che cosa ne pensate, e come sempre tante care cose (buon weekend, buon inizio settimana, ecc. ecc.)! #livefasteattrash 🦝🦝🦝

#friendica #friendicadev #androidapp #androiddev #fediverseapp #kotlin #kmp #compose #opensource #foss #buildinpublic

Il compositore americano Irving Berlin, considerato da molti il più grande dei cantautori americani, muore a New York City.

@Storia
@Storiaweb