IPfuscation is Hive’s New Technique to Evade Detection

IPfuscation-is-Hives-New-Technique-to-Evade-Detection.

 

To avoid detection, the Hive ransomware organisation has developed a new obfuscation approach. IPv4 addresses and a series of conversions are used in this method, which results in the download of the Cobalt Strike Beacon.

IPfuscation is a method of obscuring IP addresses.

Sentinel Labs researchers discovered a new obfuscation method known as IPfuscation, which is essentially a simple yet clever attempt by threat actors.

Researchers detected IPfuscation when looking at 64-bit Windows Portable executables.

An array of ASCII IPv4 addresses was used to disguise the payload.

It appears to be a harmless list of IP addresses, but when the data is combined, it becomes the blob for a shellcode.

The list might be misinterpreted as hard-coded C2 communication data. However, until the file (a list of IPv4 addresses) is converted, no usable information can be recovered.

When the shellcode is run, it downloads further malicious payloads.

Towards the end of the attack

When the conversion function (ip2string[.]h) is supplied a list of IP addresses, it converts the string to binary and outputs a blob of shellcode.

Ending up in a regular Cobalt Strike stager (Hell’s Gate version), the virus runs the shellcode through direct SYSCALLs or proxying execution utilising callback on the user interface language enumerator.

Additionally, the researchers discovered IPfuscation variations that use IPv6 addresses, UUIDs, and MAC addresses instead of IPv4 addresses, all of which operate in a similar manner.

Conclusion

Static signatures for malicious payload detection are insecure, as demonstrated by the IPfuscation approach. Experts recommend employing behavioural detection, AI-assisted analysis, and a holistic endpoint that collects suspicious inputs from various locations to better detect malicious attacks.

By IEMA IEMLabs

IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!