Hello, welcome to the Friday, January 7, 2020 edition of the Sansonet Storms, anders Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Xavier is on a role this weekend.

Well, he found yet another interesting malware sample.

This time, a Python script that is pretty much still under development,

so it's not quite finished yet, but likely the author actually uploaded it to VirusTotal.

What's sort of special about it is that this Python script specifically targets system with a simplified Chinese user interface language.

So basically mainland China is being targeted here. That's however, is also where you sort of see

a little bit the beta version here of the script. There is an API call that's being used here,

get system default UI language.

If it's not equals to 2052,

which would be simplified Chinese,

it's exiting,

but actually the exit here is commoned out.

So maybe the developer was actually using a system that's in, not in Chinese and is trying to sort of

still experiment with the script. The script will then download additional malware from the

Alibaba cloud. So again, consistent with targeting Chinese, that it is using a Chinese cloud provider

to deliver additional parts of the malware. Given that the overall malware hasn't been finished

yet, it's not really clear what the purpose is. It's also listening on some odd high ports,

but also only on loopback. And yes, we usually hear more about systems that

sort of target Western countries and, for example, avoid, for example, Russia by detecting keyboard

...