Trend Micro : Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware
We observed Emotet spam campaigns using hexadecimal and octal representations of IP addresses, likely to evade detection via pattern matching. Both routines use social engineering techniques to trick users into enabling document macros and automate malware execution. Upon receiving these standards, operating systems (OS) automatically convert the values to the dotted decimal quad representation to initiate the request from the remote servers. Users and businesses are cautioned to detect, block, and enable the relevant security measures to prevent compromise using Emotet for second stage delivery of malware such as TrickBot and Cobalt Strike.
Routine using hexadecimal IP addresses
The samples we found start with an email-attached document using Excel 4.0 Macros, a dated feature used to automate repetitive tasks in Excel that malicious actors have abused to deliver malware. Abuse of the feature in this case allows the malware to execute once the document is opened using the auto_open macro.
Figure 1. Attached document in the emails lures users into enabling the macros
The URL is obfuscated with carets and the host contains a hexadecimal representation of the IP address. Using CyberChef, we converted the hexadecimal numbers to find the more commonly used dotted decimal equivalent, 193[.]42[.]36[.]245.
Figure 2. Using carets for obfuscation
Figure 3. Converting the hexadecimal numbers to dotted decimal representation
Once executed, the macro invokes cmd.exe > mshta.exe with the URL containing the hex representation of the IP address as an argument, which will download and execute an HTML application (HTA) code from the remote host.
Figure 4. Downloading and executing an HTA code
Routine using octal IP addresses
Much like the hexadecimal representation sample, the document also uses Excel 4.0 Macros to run the malware once the…
