Researchers have observed recent Emotet campaigns adopting a known technique for the first time – using “unconventional” representations of IP addresses – in order to avoid detection.
There are different formats for representing IP addresses, the unique numeric addresses assigned to each device on the network. Most are familiar with dotted decimal notation, which is the format that uses a string of four decimal numbers with a single period as the separator character. However, other representations exist besides dotted-decimal notation, including octal notation, where each decimal number is converted to octal values, and hexadecimal notation, where each decimal number is converted to hexadecimal values.
Web browsers accept these different IP formats as valid by automatically converting them to a dotted decimal IP address. Threat actors launching spam or phishing attacks have used these hexadecimal and octal encoded IP address formats in their hostname portions of URLs in the past – including those in 2020 to redirect victims to websites selling fake medicines, drugs and health products – in order to trick the email gateway and trick the end-user victim into clicking on the URLs. Trend Micro researchers, in an analysis of Friday’s attack, said they believe this was the goal of spammers in a recently observed campaign, which had the end goal of infecting email recipients. with the Emotet malware.
Ian Kenefick, threat hunter at Trend Micro, said while abuse of these IP address formats by cybercriminals has been prevalent over the past decade, this is the first time the tactic has been seen in cybercriminals. Emotet campaigns.
“The actors behind Emotet are constantly tweaking their techniques in order to evade defenses and this latest development represents another effort to bypass defenses,” Kenefick said.
The spam campaign, which targeted victims in North America, Europe and Asia, used hijacked chat threads with an attached document using Excel 4.0 macros, a feature commonly used by cybercriminals (and which Microsoft announced this week would be disabled by default for Microsoft 365 tenants). Once the target enabled the macros, the malware was executed.
“The actors behind Emotet are constantly tweaking their techniques in order to evade defenses and this latest development represents another effort to bypass defenses.”
In the recent Emotet campaign, “the URL is masked with carets and the host contains a hexadecimal representation of the IP address,” the researchers said. “When executed, the macro invokes cmd.exe > mshta.exe with the URL containing the hexadecimal representation of the IP address as an argument, which will download and execute an HTML Application Code (HTA) from the host distant.”
Similarly, the researchers found the URL obfuscated with carets and the IP address containing the octal representation in another email. Upon receiving these standards, operating systems would automatically convert values to dotted-decimal representation to initiate the request from remote servers, the researchers said. These hex and octal IP addresses could help attackers evade spam detection systems and URL blocklists, but on the other hand, security teams can view the tactic as a detection opportunity by activating filters that detect these IP addresses as suspicious.
“Users and businesses are warned to detect, block and enable relevant security measures to avoid compromise when using Emotet for second-stage delivery of malware such as TrickBot and Cobalt Strike,” Kenefick said. He added that organizations can “use security solutions that take advantage of behavior monitoring, machine learning technologies and custom sandboxing – which combine to provide an effective defense against new techniques without requiring updates. specific days to detect them”.
After returning in November – nearly ten months after law enforcement disrupted its infrastructure in a coordinated international operation – Emotet has been seen in various spam campaigns in recent months. In December, researchers observed that the malware updated its attack vector by directly installing Cobalt Strike beacons, for example, rather than dropping an intermediate payload first. Kenefick said researchers expect Emotet actors to continue to evolve their tactics in an effort to evade security solutions.
“While the exact techniques they use to circumvent defenses will continue to evolve and be harder to predict, their business model and purpose is well defined – to create a leading criminal platform for distributing malware. which allows their criminal clientele to deliver malware directly to their target demographics at scale,” Kenefick said.