Emotet now uses unusual IP address formats to avoid detection

Short News:-

Phishing attacks use hexadecimal and octal IP addresses to evade detection by security solutions. Developments come amid renewed activity by Emotet malware following 10-month hiatus. Microsoft will disable Excel 4.0 (XLM) Macros by default to safeguard customers against security threats.

Detailed News:-

There have been "unconventional" IP address formats used in social engineering campaigns involving the Emotet malware botnet for the first time in a bid to avoid detection by security solutions.

IP addresses are encoded in hexadecimal and octal, which are then automatically converted "to the dotted decimal quad representation to initiate the request from remote servers," according to a report from Trend Micro's Threat Analyst, Ian Kenefick.

It's a common tactic in Emotet-related attacks, and it's one that has been used in the past with success. Malicious actors have repeatedly exploited the Excel 4.0 Macros feature to distribute malware.

Macro's URL is obfuscated with carets, with the host incorporating a hexadecimal representation of the IP address — "http:////0xc12a24f5/cc.html" — to execute HTML application (HTA) code from the remote host.

The only difference between this and the first phishing attack is that the IP address is now encoded in the octal format: "http://0056.0151.0121.0114/c.html."

Hexadecimal and octal IP addresses may be used to evade current solutions that are based on pattern matching, according to Kenefick's assessment. " In order to evade pattern-based detection, attackers may be using new evasion techniques like these.

This comes after a 10-month-long pause in Emotet activity following a coordinated law enforcement operation. Researchers found evidence in December 2021 that the malware had evolved its tactics to directly drop Cobalt Strike Beacons onto compromised systems.

The findings come at the same time as Microsoft announced plans to disable Excel 4.0 (XLM) Macros by default to protect customers from security breaches. According to the company, "This setting now defaults to Excel 4.0 (XLM) macros being disabled in Excel (Build 16.0.14427.10000)."