Trend Micro discovered Emotet spam campaigns that used hexadecimal and octal representations of IP addresses to avoid detection using pattern matching. Both processes rely on social engineering to deceive users into enabling document macros and automate malware execution. When these standards are received, operating systems (OS) automatically transform the data to the dotted decimal quad representation in order to commence the request from remote servers.
Users and enterprises are advised to detect, block, and enable the appropriate security measures to prevent compromise while using Emotet for second-stage malware transmission such as TrickBot and Cobalt Strike.
Emotet first surfaced in 2014, when researchers found a relatively simple banking Trojan transmitted via phishing emails. It evolved several times over the years into a Malware-as-a-Service botnet, allowing access to compromised computers to those willing to pay. Unfortunately, there were a plethora of them, including ransomware gangs like Ryuk and the data-stealing malware Trickbot. These immediately took advantage of the initial access provided by Emotet, picking and choosing which victims to target with subsequent payloads.
According to Europol, Emotet's capability to move laterally among devices on a network made it one of the most durable pieces of malware detected in recent years. In reality, it has become one of the most serious threats researchers have seen in recent years, constantly ranking among the top ten campaigns detected, with over 1.6 million victim machines, according to the DoJ.
The samples researchers discovered begin with an email-attached document that employs Excel 4.0 Macros, an antiquated technology intended to automate repetitive processes in Excel that malicious actors have exploited to distribute malware. In this scenario, abusing the feature allows the malware to execute once the document is opened using the auto-open macro. Carets are used to obfuscate the URL, and the host contains a hexadecimal representation of the IP address.
When the macro is run, it invokes cmd.exe > mshta.exe with the URL containing the hex representation of the IP address as an argument, which downloads and executes HTML application (HTA) code from the remote host.
Between November and December 2021, traces of Emotet were seen arbitrarily dropping Cobalt Strike beacons. However, during this year, operators were notably more picky about which targets the beacons were dropped on. Evasion strategies like this could be interpreted as proof that attackers are continuing to innovate in order to defeat pattern-based detection technologies. Furthermore, the atypical use of hexadecimal and octal IP addresses may result in evasion of current solutions reliant on pattern matching.
