Social engineering campaigns involving the deployment of the malicious Emotet botnet have been observed using “unconventional” IP address formats for the first time in an attempt to circumvent detection by security solutions.
This involves the use of hexadecimal and octal representations of the IP address which, when processed by the underlying operating systems, are automatically converted “to the quadruple dotted decimal representation to initiate the request from the remote servers “said Ian Kenefick, threat analyst at Trend Micro. , noted in a report on Friday.
Chains of infection, like previous Emotet-related attacks, aim to trick users into enabling document macros and automate malware execution. The document uses Excel 4.0 macros, a feature that has been repeatedly abused by malicious actors to spread malware.
When activated, the macro invokes a URL masked by carets, the host embedding a hexadecimal representation of the IP address — “h^tt^p^:/^/0xc12a24f5/cc.html” — to run an HTML application (HTA ) remote host code.
A second variant of the phishing attack follows the same modus operandi, the only difference being that the IP address is now encoded in octal format — “h^tt^p^:/^/0056.0151.0121.0114/c.html” .
“The unconventional use of hexadecimal and octal IP addresses can result in the avoidance of current solutions that rely on pattern matching,” Kenefick said. “Evasive techniques like these could be seen as proof that attackers continue to innovate to thwart pattern-based detection solutions.”
The development comes amid renewed Emotet activity late last year following a 10-month hiatus following a coordinated law enforcement operation. In December 2021, researchers discovered evidence that the malware was evolving in its tactics to drop Cobalt Strike beacons directly onto compromised systems.
The findings also come as Microsoft revealed plans to disable Excel 4.0 (XLM) macros by default to protect customers from security threats. “This setting is now default as Excel 4.0 (XLM) macros are disabled in Excel (Build 16.0.14427.10000)”, the company announcement Last week.