According to Ian Kenefick, Trend Micro’s Threat Analyst ,”This involves the use of hexadecimal and octal representations of the IP address, which are automatically converted “to the dotted decimal quad representation to initiate the request from the remote servers when processed by the underlying operating systems”.
For the first time, social engineering activities employing the Emotet malware botnet have been spotted using “unconventional” IP address formats in an attempt to avoid detection by security solutions.
Once activated, the macro calls a URL obfuscated with carets, with the host integrating a hexadecimal representation of the IP address — “http://0xc12a24f5/cc.html” — to run HTML application (HTA) code from a remote host.
The sole variation in this variant of the phishing assault is that the IP address is now encoded in octal format — “http://0056.0151.0121.0114/c.html.”
Kenefick noted. “Attackers are continue to develop to avoid pattern-based detection methods, as evidenced by these evasion approaches. The unusual use of hexadecimal and octal IP addresses may result in evasion of current pattern-matching-based solutions.
The news comes after Emotet restarted functioning late last year after a 10-month break following a coordinated law enforcement investigation. Researchers discovered indications of the malware altering its techniques in December 2021, when it began dropping Cobalt Strike Beacons directly onto affected PCs.
Finally the researchers concluded that ,” The findings coincide with Microsoft’s announcement that Excel 4.0 (XLM) Macros will be disabled by default to protect users from security threats. In Excel (Build 16.0.14427.10000), this setting now defaults to Excel 4.0 (XLM) macros being disabled.
Indicators of compromise
|e492f31ca20d99888b2434dcb4d9af1f93ed4c485b9bd2bc550ce8ae8021b9cd||Hexadecimal IP address sample||Trojan.XF.HIDDBOOK.SMTH|
|3e9701129f13f13f7b873f55dc3d43d04cbd1dd3f85814270bb1b177394926b5||Octal IP address sample||Trojan.XF.EMOTET.SMYXBLAA|