For the first time, social engineering activities employing the Emotet malware botnet have been spotted using “unconventional” IP address formats in an attempt to avoid detection by security solutions.
This entails the usage of hexadecimal and octal forms of the IP address, which, when processed by the underlying operating systems, are automatically transformed “to the dotted decimal quad representation to initiate the request from the remote servers,” as per a report from Trend Micro’s Threat Analyst, Ian Kenefick.
The infection chains are designed to deceive users into activating document macros and automate malware execution, similar to earlier Emotet-related attacks. The document makes use of Excel 4.0 Macros, a capability that unscrupulous actors have exploited to spread malware on several occasions.
Once activated, the macro calls a URL obfuscated with carets. The host integrates a hexadecimal representation of the IP address — “h^tt^p^:/^/0xc12a24f5/cc.html” — to run HTML application (HTA) code from a remote host. The sole variation in this iteration of the phishing attack is that the IP address is now encoded in octal format — “h^tt^p^:/^/0056.0151.0121.0114/c.html.”
“The unconventional use of hexadecimal and octal IP addresses may result in evading current solutions reliant on pattern matching,” Kenefick explained. “Evasion techniques like these could be considered evidence of attackers continuing to innovate to thwart pattern-based detection solutions.”
The news comes after Emotet resumed functioning late last year after a 10-month pause following a joint law enforcement investigation. Researchers discovered indications of the malware altering its techniques in December 2021, when it began dropping Cobalt Strike Beacons directly onto affected PCs.
The findings coincide with Microsoft’s announcement that Excel 4.0 (XLM) Macros will be disabled by default to protect users from security threats. “This setting now defaults to Excel 4.0 (XLM) macros being disabled in Excel (Build 16.0.14427.10000),” the company revealed last week.