According to Ian Kenefick, Trend Micro’s Threat Analyst ,”This involves the use of hexadecimal and octal representations of the IP address, which are automatically converted “to the dotted decimal quad representation to initiate the request from the remote servers when processed by the underlying operating systems”.

For the first time, social engineering activities employing the Emotet malware botnet have been spotted using “unconventional” IP address formats in an attempt to avoid detection by security solutions.

Once activated, the macro calls a URL obfuscated with carets, with the host integrating a hexadecimal representation of the IP address — “http://0xc12a24f5/cc.html” — to run HTML application (HTA) code from a remote host.

The sole variation in this variant of the phishing assault is that the IP address is now encoded in octal format — “http://0056.0151.0121.0114/c.html.”

Kenefick noted. “Attackers are continue to develop to avoid pattern-based detection methods, as evidenced by these evasion approaches. The unusual use of hexadecimal and octal IP addresses may result in evasion of current pattern-matching-based solutions.

The news comes after Emotet restarted functioning late last year after a 10-month break following a coordinated law enforcement investigation. Researchers discovered indications of the malware altering its techniques in December 2021, when it began dropping Cobalt Strike Beacons directly onto affected PCs.

Finally the researchers concluded that ,” The findings coincide with Microsoft’s announcement that Excel 4.0 (XLM) Macros will be disabled by default to protect users from security threats. In Excel (Build 16.0.14427.10000), this setting now defaults to Excel 4.0 (XLM) macros being disabled.

Indicators of compromise

SHA256DescriptionDetections
e492f31ca20d99888b2434dcb4d9af1f93ed4c485b9bd2bc550ce8ae8021b9cdHexadecimal IP address sampleTrojan.XF.HIDDBOOK.SMTH
3e9701129f13f13f7b873f55dc3d43d04cbd1dd3f85814270bb1b177394926b5Octal IP address sampleTrojan.XF.EMOTET.SMYXBLAA

URLs

193[.]42[.]36[.]245

46[.]105[.]81[.]76

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Published by shamili0508

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s