Researchers observed a new malware campaign using WAV audio files to hide the malware and to avoid detection.
Threat actors embedded the malicious code within the WAV audio files.
Based on BlackBerry Cylance threat researchers’ analysis, each WAV file contains a loader component to decode and executing malicious content embedded in audio files.
Similar techniques were observed between multiple threat actors, they used PNG (1,2) and JPEG files, employs steganography techniques to hide the malware.
THE TWO REPORTS
The first of these two new malware campaigns abusing WAV files was reported back in June. Symantec security researchers said they spotted a Russian cyber-espionage group known as Waterbug (or Turla) using WAV files to hide and transfer malicious code from their server to already-infected victims.
The second malware campaign was spotted this month by BlackBerry Cylance.
In a report published today and shared with ZDNet last week, Cylance said it saw something similar to what Symantec saw a few months before.
But while the Symantec report described a nation-state cyber-espionage operation, Cylance said they saw the WAV steganography technique being abused in a run-of-the-mill crypto-mining malware operation.
Cylance said this particular threat actor was hiding DLLs inside WAV audio files. Malware already-present on the infected host would download and read the WAV file, extract the DLL bit by bit, and then run it, installing a cryptocurrency miner application named XMRrig.
Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance, told ZDNet in an email yesterday that this malware strain using WAV steganography was spotted on both Windows desktop and server instances.
Miner and Metasploit code – WAV Audio
Further analysis reveals that some of the WAV files contain crypto miner script XMRig Monero CPU miner and others include Metasploit code used to establish a reverse shell.
Both of the WAV files use the same infrastructure, which indicates the campaign used to gain remote access over the victim networks and for monetary benefits.
Attackers use steganography methods to hide the malicious codes in the WAV files.
Earlier this year, Symantec published a report about the Turla APT hacker group, the APT group uses the .wav files with Metasploit code embedded.
Researchers classified the loaders into three categories
- Loaders that employ the Least Significant Bit (LSB) steganography to decode and execute a PE file.
- Loaders that employ a rand()-based decoding algorithm to decode and execute a PE file.
- Loaders that employ rand()-based decoding algorithm to decode and execute shellcode.
Steganography & Encoding Methods
The first type is based on the steganography method, the .wav file employees steganography method to extract the content.
Upon executing the audio file Song(.)wav, it executes a DLL in memory and triggers the export process, the exported file is an XMRig Monero CPU miner, which is designed to steal victim’s resources and to mine cryptocurrency, reads the blog post.
XMRig is a high performance Monero (XMR) CPU miner, with official support for Windows, Mac Linux and more. Originally based on cpuminer-multi with heavy optimizations/rewrites and removing a lot of legacy code, since version 1.0.0 completely rewritten from scratch on C++.
This is the CPU-mining version, there is also a NVIDIA GPU version and AMD GPU version.
- Mining BLOC with XMRig
- High performance.
- Official Windows support.
- Small Windows executable, without dependencies.
- x86/x64 support.
- Support for backup (failover) mining server.
- keepalived support.
- Command line options compatible with cpuminer.
- CryptoNight-Lite support for AEON.
- Smart automatic CPU configuration.
- Nicehash support
- It’s open source software.
The second category is based on the rand()-based decoding algorithm used to hide the PE files, in this case, the audio files don’t have any music.
When the audio file is executed, the loader reads the file and executes the DLL in memory, the extracted file is the XMRig Monero CPU miner.
The third category is the rand()-based decoding algorithm to hide PE files, like the previous one, this audio file also contains white noise.
Upon executing the audio file the loader opens the PE files, decodes its contents and executes the shellcode. The Metasploit shellcode is capable of launching reverse shell access to the specified IP address.
Attackers continue to use innovative methods to compromise victim machines, in this campaign attackers used both steganography and other encoding techniques.