New Brazilian banking Trojans recycle old URL obfuscation tricks

Fabio, our researcher in Brazil, has noticed malware authors using an old trick to mask URLs. The trick involves specifying an IP address such as say, (the IP address of, borrowed from my colleague, Costin) in a numerical base other than base 10. The supported bases are octal (8) and hexadecimal (16), and even a single 32bit number work, thus the following are all valid, and each will take you to

Now, by itself, this isn’t terribly interesting from a technical perspective; this ‘feature’ of IP specification has been around for quite a while.

However…what is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites.

In my testing, Firefox on Windows supports all of the above addresses, under Linux however, Marco from our German office says some are unsupported. Based on poor browser support for such features, it’s possible to imagine URL filtering tools having the same lack of support.

In addition to potential weak tool support for such URLs, it is likely that unsuspecting users may be more easily convinced that a particular URL is legitimate, which I think is the obvious goal of using such URL obfuscation techniques.

New Brazilian banking Trojans recycle old URL obfuscation tricks

Your email address will not be published.



Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

APT trends report Q2 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q2 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox