To avoid detection, the Hive ransomware organisation has developed a new obfuscation approach. IPv4 addresses and a series of conversions are used in this method, which results in the download of the Cobalt Strike Beacon.
IPfuscation is a method of obscuring IP addresses.
Sentinel Labs researchers discovered a new obfuscation method known as IPfuscation, which is essentially a simple yet clever attempt by threat actors.
Researchers detected IPfuscation when looking at 64-bit Windows Portable executables.
An array of ASCII IPv4 addresses was used to disguise the payload.
It appears to be a harmless list of IP addresses, but when the data is combined, it becomes the blob for a shellcode.
The list might be misinterpreted as hard-coded C2 communication data. However, until the file (a list of IPv4 addresses) is converted, no usable information can be recovered.
When the shellcode is run, it downloads further malicious payloads.
Towards the end of the attack
When the conversion function (ip2string[.]h) is supplied a list of IP addresses, it converts the string to binary and outputs a blob of shellcode.
Ending up in a regular Cobalt Strike stager (Hell’s Gate version), the virus runs the shellcode through direct SYSCALLs or proxying execution utilising callback on the user interface language enumerator.
Additionally, the researchers discovered IPfuscation variations that use IPv6 addresses, UUIDs, and MAC addresses instead of IPv4 addresses, all of which operate in a similar manner.
Static signatures for malicious payload detection are insecure, as demonstrated by the IPfuscation approach. Experts recommend employing behavioural detection, AI-assisted analysis, and a holistic endpoint that collects suspicious inputs from various locations to better detect malicious attacks.