IPfuscation is Hive’s New Technique to Evade Detection

IPfuscation is Hive’s New Technique to Evade Detection

 

To avoid detection, the Hive ransomware organisation has developed a new obfuscation approach. IPv4 addresses and a series of conversions are used in this method, which results in the download of the Cobalt Strike Beacon.

IPfuscation is a method of obscuring IP addresses.

Sentinel Labs researchers discovered a new obfuscation method known as IPfuscation, which is essentially a simple yet clever attempt by threat actors.

Researchers detected IPfuscation when looking at 64-bit Windows Portable executables.

An array of ASCII IPv4 addresses was used to disguise the payload.

It appears to be a harmless list of IP addresses, but when the data is combined, it becomes the blob for a shellcode.

The list might be misinterpreted as hard-coded C2 communication data. However, until the file (a list of IPv4 addresses) is converted, no usable information can be recovered.

When the shellcode is run, it downloads further malicious payloads.

Towards the end of the attack

When the conversion function (ip2string[.]h) is supplied a list of IP addresses, it converts the string to binary and outputs a blob of shellcode.

Ending up in a regular Cobalt Strike stager (Hell’s Gate version), the virus runs the shellcode through direct SYSCALLs or proxying execution utilising callback on the user interface language enumerator.

Additionally, the researchers discovered IPfuscation variations that use IPv6 addresses, UUIDs, and MAC addresses instead of IPv4 addresses, all of which operate in a similar manner.

Conclusion

Static signatures for malicious payload detection are insecure, as demonstrated by the IPfuscation approach. Experts recommend employing behavioural detection, AI-assisted analysis, and a holistic endpoint that collects suspicious inputs from various locations to better detect malicious attacks.

Leave a Reply

Your email address will not be published.

Write for Us

    Get in Touch To get Free Demo

    We are available 24 * 7, Contact Us and Avail Exciting Discount Offers​