In recent Emotet malware campaign its been observed using of “unconventional” IP address formats to evade detection. In additional,threat actors are using hexadecimal and octal representations of the IP address.
The attack chain is the same used in previous campaigns, treat actors distribute the malware through weaponized Excel documents using Excel 4.0 Macros, a dated feature used to automate repetitive tasks in the popular Office software.
Once tricked recipient in enabling document macros, the malicious code will contact a obfuscated URL with carets (“h^tt^p^:/^/0xc12a24f5/cc.html”), with the host incorporating a hexadecimal representation of the IP address to execute an HTML application (HTA) code from a remote host under the control of the attackers
Experts pointed out that once executed, the macro also invokes cmd.exe > mshta.exe with the URL as an argument to download and execute an HTA code from the remote host. This specific behavior could be used to detect the ongoing attack.
The researchers also spotted another variant of this malspam campaign that obfuscated the URL with carets but the IP contains an octal representation. Decoding the string “h^tt^p^:/^/0056.0151.0121.0114/c.html” into a dotted quad format we obtain 46[.]105[.]81[.]76.
The Emotet botnet was resurrected by its former operator, who was convinced by the Conti ransomware gang. The shutdown of the Emotet operation resulted in the lack of high-quality initial access brokers.
The vacuum left by Emotet shutdown urged its resurgence, for this reason, its return will have a major impact on the threat landscape.