Recently a spammer group has started to execute a clever trick that has helped them to bypass email filters and security systems, landing them in more than the usual numbers of inboxes.
The trick relies on a quirk in RFC791 — a standard that describes the Internet Protocol (IP). RFC791 is also the standard that describes how IP addresses look, amongst the myriad of technical details.
Non-technical personnel might know them in their most prevalent form of dotted-decimal address (for example, 192.168.0.1).
However, IP addresses can also be written in three other formats:
· Octal – 0300.0250.0000.0001 (by converting each decimal number to the octal base)
· Hexadecimal – 0xc0a80001 (by converting each decimal number to hexadecimal)
· Integer/DWORD – 3232235521 (by converting the hexadecimal IP to integer)
A spammer group has picked up on this trick.
According to a report published by a group of researchers, a spam group has adopted hexadecimal IP addresses for their malicious campaign since July this year.
The group has been sending emails including links of their spam sites. However, instead of domain names like xyz.com, the email contains weird looking links like https:// 0Xp89BC87E
These are nothing but the hexadecimal IP addresses where the spammers hide the digital infrastructure of their spam sites.
It appears that the trick was enough to help the spam groups evade detection while spewing high volumes of spam messages, while web browsers are capable of interpreting hexadecimal IP addresses and load the website found on the server.
According to researchers, since adopting this trick the group’s operations have significantly grown since they are able to land spam in more inboxes than before.
This campaign marks the second time that this strategy has been used in a malware campaign in recent years. In the summer of 2019, the operators of the PsiXBot trojan have also used hexadecimal IP addresses to hide the location of their command-and-control servers.
Malware authors have also abused other IP addressing schemes apart from the hexadecimal version. To hide the location of remotely stored malicious resources downloaded on infected hosts, malicious Word documents were found using integer/DWORD IP addresses in 2011.
To read more, please check eScan Blog
