Unusual IP address formats have been observed in social engineering campaigns distributing the Emotet malware botnet in an effort to evade security system detection, reports The Hacker News.
Attackers have been using hexadecimal and octal IP address representations that are automatically converted by operating systems "to the dotted decimal quad representation to initiate the request from the remote servers," wrote Trend Micro Threat Analyst Ian Kenefick in a report.
Samples examined by researchers revealed that the attack chain begins with the commonly exploited Excel 4.0 Macros feature, which when enabled turns to a caret-obfuscated URL to facilitate remote host-based HTML application code execution, with the host having a hexadecimal IP address representation. The second attack variant was largely similar except that it leveraged an octal-coded IP address.
"The unconventional use of hexadecimal and octal IP addresses may result in evading current solutions reliant on pattern matching... Evasion techniques like these could be considered evidence of attackers continuing to innovate to thwart pattern-based detection solutions," Kenefick added.
SecurityWeek reports that Trickbot Group, also known as ITG23 or Wizard Spider, has moved to quickly expand its operations following the deployment of the TrickBot malware family six years ago, while moving to automated malware encryption.