The Hive ransomware gang has been leveraging a novel obfuscation approach involving IPv4 addresses and numerous conversions resulting in Cobalt Strike beacon downloads, BleepingComputer reports
The new technique dubbed "IPfuscation" was identified by Sentinel Labs researchers who examined various 64-bit Windows executables, all of which had Cobalt Strike-delivering payloads
Hive has obfuscated the payload by impersonating ASCII IPv4 addresses but converting the file from string to binary prompts the appearance of shellcode. Researchers found that upon completion, the shellcode will be executed by the malware through direct SYSCALLs or proxy execution.
More IPfuscation variants have been observed by researchers, with IPv6, MAC, and UUID addresses also being leveraged by the ransomware group. The findings suggest that static signature dependence alone is inadequate in detecting malicious payloads.
Organizations should also deploy behavioral detection, artificial intelligence-based analysis, and holistic security approaches for their endpoints to better detect IPfuscation techniques, according to researchers.