Ransomware, Threat Management, Risk Assessments/Management, Breach

Novel obfuscation leveraged by Hive ransomware

The Hive ransomware gang has been leveraging a novel obfuscation approach involving IPv4 addresses and numerous conversions resulting in Cobalt Strike beacon downloads, BleepingComputer reports. The new technique dubbed "IPfuscation" was identified by Sentinel Labs researchers who examined various 64-bit Windows executables, all of which had Cobalt Strike-delivering payloads. Hive has obfuscated the payload by impersonating ASCII IPv4 addresses but converting the file from string to binary prompts the appearance of shellcode. Researchers found that upon completion, the shellcode will be executed by the malware through direct SYSCALLs or proxy execution. More IPfuscation variants have been observed by researchers, with IPv6, MAC, and UUID addresses also being leveraged by the ransomware group. The findings suggest that static signature dependence alone is inadequate in detecting malicious payloads. Organizations should also deploy behavioral detection, artificial intelligence-based analysis, and holistic security approaches for their endpoints to better detect IPfuscation techniques, according to researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.