Malware Hidden In .WAV Files
A malware campaign has been found where malicious content was embedded throughout audio files. The embedded code consists of one of three different loader components for decoding and executing malware. When played, the WAV files either proa duce music or generate white noise. A XMRig/Monero CPU cryptominer and Metasploit code used to establish a reverse shell was found embedded in the file. This suggests the attack has 2 stages, to deploy malware for financial gain and to establish remote access within the victim network. The .WAV files can be delivered by spam or targeted emails to downloads from the web advertised as pirated content.
The loaders come in three different varieties. One uses Least Significant Bit, or LSB, steganography to decode and execute a PE file. Another that employ a rand() based decoding algorithm to decode and execute a PE file. The third employ rand() based decoding algorithm to decode and execute shellcode. These methods shows that executable content could be hidden within any file type, provided that the hacker does not corrupt the structure of the container format. This strategy adds an additional layer of obfuscation because the underlying code is only revealed in memory, making detection more difficult.
Hackers are creative in their approach to executing code, including the use of multiple files of different file formats. The malware creators uses a combination of steganography and other encoding techniques to execute code. These strategies allowed hackers to conceal their executable content, making detection difficult.