The Emotet Malware
For the first time in its history, the Emotet botnet has been spotted to use sophisticated social engineering tactics involving the deployment of malware by employing “unconventional” IP address formats. According to researchers, this is a crafty attempt to avoid detection by security solutions.
The development comes in the aftermath of a resurgence in Emotet activity late last year, following a 10-month break that came as a result of a coordinated law enforcement effort.
According to a threat analysis report published by Trend Micro on Friday, this involves the use of hexadecimal and octal representations of the IP address, which, when processed by the underlying operating systems, are automatically converted to a dotted-decimal quad representation that initiates the request from the remote servers.
Like earlier Emotet-related attacks, the infection chains are designed to fool users into enabling document macros, which then automates the execution of malicious code. A feature of Excel 4.0 Macros, which has been regularly misused by unscrupulous actors in order to distribute malware, is employed in this document.
If the macro is enabled, it will call a URL that has been obfuscated with carets, with the host including the IP address in hexadecimal format, in order to run HTML application (HTA) code from a remote host.
It is possible to carry out the attack in an identical way, but instead of a hexademically represented IP address, the crooks include an IP address coded in an octal format.
Researchers believe that current solutions that rely on pattern matching may be circumvented as a result of the unusual use of hexadecimal and octal IP addresses. Pattern-based detection systems are always evolving, and evasion strategies such as these could be just another piece of evidence that attackers are continuing to innovate in order to bypass them.
According to information from November last year, researchers have discovered evidence that the Emotet malware has been adapting its tactics to dump TrickBot malware directly onto affected systems.
The revelation about the latest unconventional deploy tactics came at the same time as Microsoft announced its intentions to disable Excel 4.0 (XLM) Macros by default in order to protect users from security concerns.