duo.com Open in urlscan Pro
13.226.78.41  Public Scan

URL: https://duo.com/decipher/emotet-spam-attacks-use-hexadecimal-octal-ip-addresses
Submission: On February 02 via manual from JP — Scanned from JP

Form analysis 1 forms found in the DOM

GET /decipher/search

<form class="d-search__form" action="/decipher/search" method="GET" onsubmit="submitForm(); return false; " __bizdiag="0" __biza="WJ__">
  <input id="input_search" class="d-search__input" type="text" placeholder="Search..." value="">
  <button class="btn-magnify js-btn-magnify"><svg class="icon-magnify-thick" viewBox="0 0 512 512">
      <path
        d="m430 393l-114-114c13-20 22-44 22-71 0-69-56-125-126-125-69 0-125 56-125 125 0 69 56 126 125 126 27 0 51-8 71-23l115 115c4 4 10 7 16 7 6 0 12-3 16-7 9-9 9-24 0-33z m-297-185c0-43 35-78 79-78 43 0 78 35 78 78 0 44-35 79-78 79-44 0-79-35-79-79z">
      </path>
    </svg></button>
</form>

Text Content

 * All Articles
 * Who We Are
 * * 
   * 
   * 
   * 


Security news that informs and inspires


SEARCH




Jan 21, 2022


EMOTET SPAM ATTACKS USE HEXADECIMAL, OCTAL IP ADDRESSES

By Lindsey O’Donnell-Welch

The known tactic, which helps attackers sidestep detection, has been observed in
spam messages that deploy Emotet.

Share

Researchers have observed recent Emotet campaigns adopting a known technique -
utilizing “unconventional” representations of IP addresses - for the first time,
in order to avoid detection.

There are various formats for representing IP addresses, the unique numerical
addresses assigned to each device on the network. Most are familiar with the
dotted-decimal notation, which is the format that uses a string of four decimal
numbers with a single period as a separation character. Other representations
exist outside of the the dotted-decimal notation, however, including the octal
notation, where each decimal number is converted to octal values, and the
hexadecimal notation, where each decimal number is converted to hexadecimal
values.

Web browsers accept these different IP formats as valid by automatically
converting them to a dotted-decimal IP address. Threat actors launching spam or
phishing attacks have previously employed such encoded hexadecimal and octal IP
address formats in their URL hostname parts - including ones in 2020 to redirect
victims to websites selling fake pills, medicine, and health products - in order
to trick the email gateway and lure the end-user victim into clicking the URLs.
Researchers with Trend Micro in a Friday analysis of the attack said they
believe this was the aim of the spammers in a recently observed campaign, which
had the end goal of infecting email recipients with the Emotet malware.

Ian Kenefick, threat hunter with Trend Micro, said that while the abuse of these
IP address formats by cybercriminals has been prevalent over the past decade,
it's the first time this tactic has been observed in Emotet campaigns.

"The actors behind Emotet are constantly tweaking their techniques in order to
evade defenses and this latest development represents yet another effort to
sidestep defenses," said Kenefick.

The spam campaign, which targeted victims in North America, Europe and Asia,
used hijacked email threads with an attached document leveraging Excel 4.0
macros, a feature that is commonly abused by cybercriminals (and that Microsoft
this week announced would be disabled by default for Microsoft 365 tenants).
Once the target enabled macros, the malware was executed.

> "The actors behind Emotet are constantly tweaking their techniques in order to
> evade defenses and this latest development represents yet another effort to
> sidestep defenses."

In the recent Emotet campaign, “the URL is obfuscated with carets and the host
contains a hexadecimal representation of the IP address,” said researchers.
“Once executed, the macro invokes cmd.exe > mshta.exe with the URL containing
the hex representation of the IP address as an argument, which will download and
execute an HTML application (HTA) code from the remote host.”

Similarly, researchers found the URL obfuscated with carets and the IP address
containing the octal representation in another email. Upon receiving these
standards, operating systems would automatically convert the values to the
dotted-decimal representation to initiate the request from the remote servers,
researchers said. These hexadecimal and octal IP addresses could help attackers
evade spam detection systems and URL blocklists, but on the other hand security
teams can view the tactic as a detection opportunity by enabling filters that
detect such IP addresses as suspicious.

“Users and businesses are cautioned to detect, block, and enable the relevant
security measures to prevent compromise using Emotet for second stage delivery
of malware such as TrickBot and Cobalt Strike,” said Kenefick. He added,
organizations can "use security solutions which leverage behaviour monitoring,
machine learning technologies and custom sandboxing – all of which combine to
provide an effective defense against new techniques without requiring specific
updates to detect them."

After returning in November - nearly ten months after law enforcement disrupted
its infrastructure in an international coordinated operation - Emotet has been
seen in various spam campaigns in recent months. In December, researchers
observed the malware updating its attack vector by installing Cobalt Strike
beacons directly, for instance, rather than dropping an intermediate payload
first. Kenefick said researchers expect Emotet actors to continue to evolve
their tactics in an effort to evade security solutions.

"While the exact techniques they use to bypass defenses will continue to change
and are harder to predict, their business model and focus is well defined –
building a leading criminal platform for malware distribution that allows their
criminal customer base to serve up malware directly to their target demographics
at scale," Kenefick said.

Emotet Malware Spammers

Related

Iot Security


BOTENAGO MALWARE SOURCE CODE UPLOADED TO GITHUB

The source code's release on GitHub can potentially mean future attacks on IoT
devices and routers, warn researchers.

Q&a


Q&A: TIMO STEFFENS

Timo Steffens, private security researcher and author of Attribution of Advanced
Persistent Threats, discusses some of the top...

Malware


DTPACKER MALWARE STEALS DATA, LOADS SECOND-STAGE PAYLOADS

Researchers have been tracking the malware packer since 2020 in dozens of
campaigns that have impacted hundreds of victims.

 * 
 * 
 * 
 * 

All Articles Who We Are
Copyright 2022 Duo Security
Terms & Conditions Privacy Notice
Top