Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Arrest of Huawei CFO Inspires Advance Fee Scam

Published: 2018-12-09
Last Updated: 2018-12-10 00:51:38 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Last week, the arrest of MENG Wanzou made big waves in the news. Ms. Meng was arrested in Canada based on an arrest warrant issued for the United States Department of justice. Ms. Meng, as CFO of Huawei and possible heir to her father, the CEO of Huawei, is assumed to have access to substantial wealth. This led to a wave of advanced fee scams levering this news. 

Advance fee scams have probably been most commonly associated with "Nigerian Prince" scams. The trick is to promise substantial wealth in exchange for a relatively small advanced fee.

In this case, the message sent via WeChat suggested that a corrupt Canadian guard would let Ms. Meng escape for a few thousand dollars. The recipient of the message is asked to transfer the money to the guard's account, and promised a large amount of money once Ms. Meng is released:

Translation: "Hello, I am MENG Wanzou. Currently, I have been detained by Canadian customs. I have limited use of my phone. Right now CIA is trying to get me into the hands of the US government. I bribed the guard of my room, and urgently need US$2000 to get out of here. Once I am out, I will reward you 200,000 shares of Huawei.  I will be good on my word. if you are single, we can also discuss the important thing in life. The guard’s name is David, the account number is 52836153836252, swift 55789034. I will be good on my word"

Of course, it is questionable how successful a crude attempt like this will be. But sadly, experience tells us that there are still people falling for the old "Nigerian scam". By targeting Chinese individuals via WeChat, the scam may have a higher success rate than more widely distributed scams.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

Keywords: scam huawei
0 comment(s)

Quickie: String Analysis is Still Useful

Published: 2018-12-09
Last Updated: 2018-12-09 22:52:50 UTC
by Didier Stevens (Version: 1)
0 comment(s)

String analysis: extracting and analyzing strings from binary files (like executables) to assist with reverse engineering.

It's a simple method, but still useful, if you don't have to spend hours sifting through all strings produced by the string tool. I have a tip to quickly find "interesting" strings: sort the output of the strings tool by string length. Start with the shortest strings, and end with the longest strings.

Take for example the analysis of a malicious document, that involved many steps and requires good knowledge of different file formats.

Just by extracting the strings of this document and sorting them by length, you immediately find the powershell command:

I developed my own strings.py tool, and option -L sorts strings by increasing lenght.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: malware strings
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Reader Malware Submission: MHT File Inside a ZIP File
Dec 8th 2018
1 day ago by DidierStevens (0 comments)

A Dive into malicious Docker Containers
Dec 7th 2018
2 days ago by Remco (0 comments)

Is it Time to Uninstall Flash? (If you haven't already)
Dec 6th 2018
3 days ago by Rob VandenBrink (2 comments)

Campaign evolution: Hancitor changes its Word macros
Dec 5th 2018
4 days ago by Brad (0 comments)

Malspam pushing Lokibot malware
Dec 4th 2018
6 days ago by Brad (0 comments)

Word maldoc: yet another place to hide a command
Dec 3rd 2018
6 days ago by DidierStevens (1 comment)

View All Diaries →

Latest Discussions

Dedicated development team
created Dec 5th 2018
4 days ago by Anonymous (0 replies)

virtual server design
created Nov 28th 2018
1 week ago by Anonymous (0 replies)

Intern needs help
created Nov 23rd 2018
2 weeks ago by Anonymous (0 replies)

CVE Links Are Broken
created Nov 17th 2018
3 weeks ago by George (1 reply)

Mobile Forensics tools - suggestions?
created Oct 8th 2018
2 months ago by Gary (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
11 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)