The Hive ransomware group has adopted a new obfuscation technique to evade detection. The technique involves IPv4 addresses and a series of conversions leading to the download of the Cobalt Strike Beacon.

The IPfuscation technique

Researchers from Sentinel Labs found the new obfuscation technique, dubbed IPfuscation, which is basically a simple but smart attempt by threat actors.
  • IPfuscation was discovered when researchers were analyzing 64-bit Windows Portable executables.
  • The payload was obfuscated in the form of an array of ASCII IPv4 addresses.
  • It looks like a non-harmful list of IP addresses, however, they form the blob for a shellcode when the data are clubbed together. 
  • The list may be mistaken as hard-coded C2 communication information. However, no useful information can be extracted unless the file (the list of IPv4 addresses) is treated using a convertor.
  • Upon execution, the shellcode downloads further malicious payloads.

In the later stage of the attack

When the list of IP addresses is passed for converting function (ip2string[.]h), it translates the string to binary and a blob of shellcode appears.
  • The malware executes the shellcode via direct SYSCALLs or proxying execution using callback on the user interface language enumerator, ending up in a standard Cobalt Strike stager (Hell’s Gate variant).
  • Additionally, the researchers spotted additional IPfuscation variants using IPv6 instead of IPv4 addresses, UUIDs, and MAC addresses, all operating in almost the same way.

Concluding notes

The IPfuscation technique shows that static signatures for malicious payload detection are not secure enough. For better detection of malicious threats,  experts suggest using behavioral detection, AI-assisted analysis, and holistic endpoint collecting suspicious inputs from multiple points.
Cyware Publisher