Researchers have observed recent Emotet campaigns adopting a known technique - utilizing “unconventional” representations of IP addresses - for the first time, in order to avoid detection.
There are various formats for representing IP addresses, the unique numerical addresses assigned to each device on the network. Most are familiar with the dotted-decimal notation, which is the format that uses a string of four decimal numbers with a single period as a separation character. Other representations exist outside of the the dotted-decimal notation, however, including the octal notation, where each decimal number is converted to octal values, and the hexadecimal notation, where each decimal number is converted to hexadecimal values.
Web browsers accept these different IP formats as valid by automatically converting them to a dotted-decimal IP address. Threat actors launching spam or phishing attacks have previously employed such encoded hexadecimal and octal IP address formats in their URL hostname parts - including ones in 2020 to redirect victims to websites selling fake pills, medicine, and health products - in order to trick the email gateway and lure the end-user victim into clicking the URLs. Researchers with Trend Micro in a Friday analysis of the attack said they believe this was the aim of the spammers in a recently observed campaign, which had the end goal of infecting email recipients with the Emotet malware.
Ian Kenefick, threat hunter with Trend Micro, said that while the abuse of these IP address formats by cybercriminals has been prevalent over the past decade, it's the first time this tactic has been observed in Emotet campaigns.
"The actors behind Emotet are constantly tweaking their techniques in order to evade defenses and this latest development represents yet another effort to sidestep defenses," said Kenefick.
The spam campaign, which targeted victims in North America, Europe and Asia, used hijacked email threads with an attached document leveraging Excel 4.0 macros, a feature that is commonly abused by cybercriminals (and that Microsoft this week announced would be disabled by default for Microsoft 365 tenants). Once the target enabled macros, the malware was executed.
"The actors behind Emotet are constantly tweaking their techniques in order to evade defenses and this latest development represents yet another effort to sidestep defenses."
In the recent Emotet campaign, “the URL is obfuscated with carets and the host contains a hexadecimal representation of the IP address,” said researchers. “Once executed, the macro invokes cmd.exe > mshta.exe with the URL containing the hex representation of the IP address as an argument, which will download and execute an HTML application (HTA) code from the remote host.”
Similarly, researchers found the URL obfuscated with carets and the IP address containing the octal representation in another email. Upon receiving these standards, operating systems would automatically convert the values to the dotted-decimal representation to initiate the request from the remote servers, researchers said. These hexadecimal and octal IP addresses could help attackers evade spam detection systems and URL blocklists, but on the other hand security teams can view the tactic as a detection opportunity by enabling filters that detect such IP addresses as suspicious.
“Users and businesses are cautioned to detect, block, and enable the relevant security measures to prevent compromise using Emotet for second stage delivery of malware such as TrickBot and Cobalt Strike,” said Kenefick. He added, organizations can "use security solutions which leverage behaviour monitoring, machine learning technologies and custom sandboxing – all of which combine to provide an effective defense against new techniques without requiring specific updates to detect them."
After returning in November - nearly ten months after law enforcement disrupted its infrastructure in an international coordinated operation - Emotet has been seen in various spam campaigns in recent months. In December, researchers observed the malware updating its attack vector by installing Cobalt Strike beacons directly, for instance, rather than dropping an intermediate payload first. Kenefick said researchers expect Emotet actors to continue to evolve their tactics in an effort to evade security solutions.
"While the exact techniques they use to bypass defenses will continue to change and are harder to predict, their business model and focus is well defined – building a leading criminal platform for malware distribution that allows their criminal customer base to serve up malware directly to their target demographics at scale," Kenefick said.