CySecurity News – Latest Information Security and Hacking Incidents
Threat researchers have found a new obfuscation strategy employed by the Hive ransomware gang, which utilises IPv4 addresses and a series of conversions that leads to the download of a Cobalt Strike beacon. Threat actors use code obfuscation to conceal the malicious nature of their code from human reviewers or security software to avoid discovery.
There are a variety of techniques to create obfuscation, each with its own set of benefits and drawbacks, but a new one identified during an incident response involving Hive ransomware reveals that adversaries are coming up with new, subtler ways to accomplish their objective.
Analysts at Sentinel Labs describe a new obfuscation technique called “IPfuscation,” which is another example of how effective basic but sophisticated tactics can be in real-world malware deployment. The new approach was discovered while examining 64-bit Windows executables, each of which contained a payload that delivered Cobalt Strike.
The payload is disguised as an array of ASCII IPv4 addresses, giving it the appearance of a harmless list of IP addresses. The list could potentially be misconstrued for hard-coded C2 communication information in malware research. A blob of shellcode arises when the file is handed to a converting function (ip2string.h) that converts the string to binary.
Followi
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: