The Hive ransomware group has adopted a new obfuscation technique to evade detection. The technique involves IPv4 addresses and a series of conversions leading to the download of the Cobalt Strike Beacon.
The Technique of IPfuscation
Sentinel Labs researchers discovered a new obfuscation technique known as IPfuscation, which is essentially a simple but clever attempt by threat actors.
- Researchers detected IPfuscation when looking at 64-bit Windows Portable executables.
- An array of ASCII IPv4 addresses was used to disguise the payload.
- It appears to be a harmless list of IP addresses, but when the data is combined, it becomes the blob for a shellcode.
- The list could be misinterpreted as hard-coded C2 communication data.
- However, unless the file (a list of IPv4 addresses) is converted, no usable information can be recovered.
When the shellcode is run, it downloads