G’day Cyber Warrior,
Here are the latest IOC lists.

Please note:
You can use this information to create block-lists.
All C2i published here is active at the time of publishing but some of these C2s can go offline at any time after that.
All information provided here is free to use.
C2i published on this site or shared via email could cause some FPs as these IPs/URIs get recycled frequently, you agree to that before using any C2i from this site.
Lists are NOT de-duped. 
You agree that any false positives or outages caused by use of this list will be your responsibility…

This is a new series that I've started, where we not just analyse the malware but highlight the steps that can be taken to defend against these threats. You'll still need to do some digging to find out how to implement these in your org but these should give you enough to get started. 
Skill level: Intermediate-Advanced

QuickDefend

The long-story-short version

Use the following info to break execution of this malware:

RestartManager

This malware uses the RestartManager to shutdown/stop running processes and then encrypt them (to bypass the ‘file is in use’ problem).
Use this reg key to disable that functionality.

DisableAutomaticApplicationShutdown:

…

Powershell provides a great platform to mess around with Defender

MS Powershell is a very powerful tool that MS has provided to the administrators. It can easily be used by malware authors to try to by-pass Windows Defender, the Microsoft anti-malware application that has a large user-base.

Section 1

First, let’s take a look at what features that are available in Powershell to work with anti-malware.

Add-MpPreference
Modifies settings for Windows Defender.

Get-MpComputerStatus
Gets the status of anti-malware software on the computer.

Get-MpPreference
Gets preferences for the Windows Defender scans and updates.

Get-MpThreat
Gets the history of threats detected on the computer.

…

This is a short one, just wanted to share how to remove password-protection from PDF documents. Instead of uploading your docs to ‘online’ password-removers or downloading tools to do that, you can use this simple method.

Nothing new here, I’ve known about this technique for quite sometime. I’ve had a bunch of people ask about it so thought maybe I should do a quick post.

Please note that this method only works on PDFs that you have the password for. You need to unlock it at least once to be able to then remove the protection moving forward. 

Here are…

This malware takes anti-analysis and stealth techniques to a new level

We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2.

Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju

Secondary Macro Code

First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. …

This malware takes anti-analysis and stealth techniques to a new level

Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju

I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one!

Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts.

TLDR: 
This is a very well-thought and equally well-written malware. There’s no VBA that you…

A boringly deep analysis of a very complex VBS Malware dropper

C2 Domains/IPs OR URLs

I’ve added a new feature to Lupo that allows you to extract C2 IPs/Domains OR complete URLs. This was a feature request.

You can get the latest version from Lupo Github Repository here.

Usage:

Load the extension:

.load lupo

Run the module for URLs:

!lupo.url

This will extract URLs from the malware and output them to the console as well as write them to a file on your disk.

Run the module for C2 IPs/domains:

This will extract IPs or domains from the malware and output them to the console as well as write them to a file on your disk.

!lupo.c2