Security researchers have found a new malware campaign using WAV audio files to hide their malware. It’s said the attackers are using Steganography to embed the malicious code within the WAV audio files. Steganography is an ancient practice of hiding secret content and text messages inside non-suspicious messages.
According to BlackBerry Cylance threat researchers’ analysis, each WAV file contains a loader component to decode and execute malicious content embedded in audio files.
Attackers use Steganography as a technique to hide malicious code within the image/audio/text file that is mainly employed by exploiting kits to hide their malvertising traffic.
The researchers also revealed that some of the WAV files contain crypto miner script “XMRig Monero CPU” miner and “Metasploit” code to establish a reverse shell, which is used to gain remote access over the victim networks.
“Attackers deploy CPU miners to steal processing resources and generate revenue from mining cryptocurrency. Cryptocurrency miners are a popular malware payload since they provide financial benefits and aim to operate in the background without the user’s knowledge. An effective cryptocurrency botnet can yield thousands of dollars per month for an attacker,” BlackBerry Cylance said.
“This approach allows the attacker to execute code from an otherwise benign file format. These techniques demonstrate that executable content could theoretically be hidden within any file type, provided the attacker does not corrupt the structure and processing of the container format. Adopting this strategy introduces an additional layer of obfuscation because the underlying code is only revealed in memory, making detection more challenging,”
The steganography loader researchers discovered is also identified in Symantec’s June 2019 analysis of Waterbug/Turla threat actor activity. In addition, Symantec identified WAV files containing encoded Metasploit code.