The Hive ransomware group has adopted a new obfuscation technique to evade detection. The technique involves IPv4 addresses and a series of conversions leading to the download of the Cobalt Strike Beacon.

The Technique of IPfuscation

Sentinel Labs researchers discovered a new obfuscation technique known as IPfuscation, which is essentially a simple but clever attempt by threat actors.

  • Researchers detected IPfuscation when looking at 64-bit Windows Portable executables.
  • An array of ASCII IPv4 addresses was used to disguise the payload.
  • It appears to be a harmless list of IP addresses, but when the data is combined, it becomes the blob for a shellcode.
  • The list could be misinterpreted as hard-coded C2 communication data.
  • However, unless the file (a list of IPv4 addresses) is converted, no usable information can be recovered.

When the shellcode is run, it downloads