Emotet malware botnet using unconventional IP address formats to evade detection for the first time to evade detection by security solutions.
According to Trend Micro’s Threat Analyst, Ian Kenefick, the malware uses hexadecimal and octal representations of the IP address, which get automatically converted when processed by the underlying operating systems,” to the dotted decimal quad representation to initiate the request from the remote servers.”
Like the earlier Emotet related attacks, it aims to trick users into enabling document macros and automate malware execution. Bad actors are repeatedly delivering the malware using the Excel 4.0 Macros in the document.
The macro invokes a URL when enabled that confuses with carets and the host incorporates a hexadecimal representation of the IP address — “h^tt^p^:/^/0xc12a24f5/cc.html” — to execute an HTML application (HTA) code from the remote host.
The second variant of the Emotet Malware Botnet uses the same method, with the only difference being this time the IP address is coded in the octal format — “h^tt^p^:/^/0056.0151.0121.0114/c.html”.
Kenefick said, “The unconventional use of hexadecimal and octal IP addresses may result in evading current solutions reliant on pattern matching. Evasion techniques like these could be considered evidence of attackers continuing to innovate to thwart pattern-based detection solutions.”
Microsoft has also planned to disable the Excel 4.0 (XLM) Macros by default to safeguard customers against security threats. Last week the company announced “This setting now defaults to Excel 4.0 (XLM) macros being disabled in Excel (Build 16.0.14427.10000).”
Myanmar’s Military Junta Wants to Ban VPNs and Digital Currency
US Sanctions 4 Ukrainian Government Officials for Working with Russia To Destabilize Ukraine
Israeli Police Paying Private Hackers to Spy on Citizens