Threat Research

From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection

Securonix

A SentinelOne analysis examines Hive Ransomware’s IPfuscation technique, which hides a shellcode payload by encoding ASCII IP addresses that are translated into binary to form the shellcode. The write-up covers IPfuscated, UUIDfuscation, and MACfuscation variants, Hell’s Gate and Golang/Cobalt Strike loaders, TTPs used by the Hive affiliate program, and a set of IOCs to help detect the campaign. #IPfuscation #IPfuscated #UUIDfuscation #MACfuscation #HellsGate #CobaltStrike #HiveRansomware

Keypoints

  • The obfuscated payload masquerades as an array of ASCII IPv4 addresses; each IP string is translated to binary to reveal shellcode that is then executed.
  • IPfuscated variants use IPv4, IPv6, UUIDs, and MAC addresses to hide the payload; Hell’s Gate variant uses direct SYSCALLs instead of EnumUILanguagesA for execution.
  • The loader chain culminates in a Cobalt Strike stager that downloads and executes Beacon, often via multiple loaders (IPfuscated, Golang loader, vanilla Beacon DLL).
  • Attackers leverage Hive Ransomware Affiliate Program TTPs, including pre-deployment PowerShell/BAT, AD enumeration, password spraying, and GPO-based deployment.
  • Signatures and IOCs include multiple SHA-1/SHA-256 hashes, IP addresses and domains associated with Cobalt Strike infrastructure and C2 servers.
  • MITRE ATT&CK mapping for observed actions includes BAT/Powershell scripts, Scheduled Tasks, AD enumeration, password spraying, Kerberos ticket requests, RDP lateral movement, SAM dumps, domain GPOs, and password theft from Group Policy.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The payload is obfuscated in the IP-formatted strings that become a blob of shellcode, as described: “The samples in question … masquerades itself as an array of ASCII IPv4 addresses.”
  • [T1059] BAT/Powershell scripts – Used to automate pre-ransomware deployment actions: “pre-deployment Powershell and BAT scripts are used to prepare the environment for distribution of the ransomware.”
  • [T1053] Scheduled Tasks – Used to deploy the ransomware payload: “Scheduled Tasks are used to deploy digitally signed ransomware across the victim’s network.”
  • [T1087] Active Directory Discovery – AD enumeration via ADFind, SharpView, BloodHound: “Active Directory enumeration.”
  • [T1110.003] Password Spraying – Performed with SharpHashSpray and SharpDomainSpray: “Password spraying was performed with SharpHashSpray and SharpDomainSpray.”
  • [T1558] Kerberos Tickets – Rubeus used to request Kerberos Ticket Granting Tickets: “Rubeus was used to request TGTs.”
  • [T1021.001] RDP – Lateral movement via RDP: “RDP” as a lateral movement method.
  • [T1003.002] SAM Dump – Credential theft from SAM: “SAM Dump.”
  • [T1587.002] Signed Ransomware – Ransomware payload is digitally signed: “Signed Ransomware.”
  • [T1484] Domain Policy GPO – Deploy ransomware via Group Policy: “Domain Policy GPO.”
  • [T1552.006] Net-GPPPassword – Steal cleartext passwords from Group Policy Preferences: “Net-GPPPassword.”
  • [T1071.001] Web Protocols – Cobalt Strike beacons and C2 infrastructure (Cobalt Strike server) are used for command and control: “Cobalt Strike remains their implant of choice.”

Indicators of Compromise

  • [SHA1] IPfuscated Cobalt Strike stager (Hell’s Gate variant) – d83df37d263fc9201aa4d98ace9ab57efbb90922, 49fa346b81f5470e730219e9ed8ec9db8dd3a7fa
  • [SHA256] UUID variant – 065de95947fac84003fd1fb9a74123238fdbe37d81ff4bd2bff6e9594aad6d8b, 0809e0be008cb54964e4e7bda42a845a4c618868a1e09cb0250210125c453e65
  • [IPv4 Address] C2/delivery endpoints – 103.146.179.89, 1.15.80.102, 175.178.62.140, 84.32.188.238
  • [Domain] Cobalt Strike domains – service-5inxpk6g-1304905614.gz.apigw.tencentcs[.]com, service-kibkxcw1-1305343709.bj.apigw.tencentcs[.]com:80

Read more: https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/