Security News > 2022 > March > Hive ransomware uses new 'IPfuscation' trick to hide payload
Threat analysts have discovered a new obfuscation technique used by the Hive ransomware gang, which involves IPv4 addresses and a series of conversions that eventually lead to downloading a Cobalt Strike beacon.
There are numerous ways to achieve obfuscation, each with its own set of pros and cons, but a novel one discovered in a an incident response involving Hive ransomware shows that adversaries are finding new, stealthier ways to achieve their goal.
Sentinel Labs analysts report on the new obfuscation technique, that they call "IPfuscation", and which is yet another example of how effective simple but smart methods can be in real-world malware deployment.
The analysts discovered the new technique while analyzing 64-bit Windows executables, each containing a payload that delivers Cobalt Strike.
The payload itself is obfuscated by taking the form of an array of ASCII IPv4 addresses, so it looks like an innocuous list of IP addresses.
The analysts have discovered additional IPfuscation variants that instead of IPv4 addresses use IPv6, UUIDs, and MAC addresses, all operating in an almost identical manner as what we described above.