Emotet Now Employing Non-Standard IP Address Formats to Avoid Detection

Emotet Now Employing Non-Standard IP Address Formats to Avoid Detection

For the first time, social engineering activities employing the Emotet malware botnet have been spotted using “unconventional” IP address formats in an attempt to avoid detection by security solutions.

This entails the usage of hexadecimal and octal forms of the IP address, which, when processed by the underlying operating systems, are automatically transformed “to the dotted decimal quad representation to initiate the request from the remote servers,” as per a report from Trend Micro’s Threat Analyst, Ian Kenefick.

The infection chains are designed to deceive users into activating document macros and automate malware execution, similar to earlier Emotet-related attacks. The document makes use of Excel 4.0 Macros, a capability that unscrupulous actors have exploited to spread malware on several occasions.

Once activated, the macro calls a URL obfuscated with carets. The host integrates a hexadecimal representation of the IP address — “h^tt^p^:/^/0xc12a24f5/cc.html” — to run HTML application (HTA) code from a remote host. The sole variation in this iteration of the phishing attack is that the IP address is now encoded in octal format — “h^tt^p^:/^/0056.0151.0121.0114/c.html.”

“The unconventional use of hexadecimal and octal IP addresses may result in evading current solutions reliant on pattern matching,” Kenefick explained. “Evasion techniques like these could be considered evidence of attackers continuing to innovate to thwart pattern-based detection solutions.”

The news comes after Emotet resumed functioning late last year after a 10-month pause following a joint law enforcement investigation. Researchers discovered indications of the malware altering its techniques in December 2021, when it began dropping Cobalt Strike Beacons directly onto affected PCs.

The findings coincide with Microsoft’s announcement that Excel 4.0 (XLM) Macros will be disabled by default to protect users from security threats. “This setting now defaults to Excel 4.0 (XLM) macros being disabled in Excel (Build 16.0.14427.10000),” the company revealed last week.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.