Audio .WAV files are the latest hiding place for obfuscated malicious code; a campaign has been spotted in which malicious content was secretly woven throughout the file’s audio data.
The embedded code consists of two different payloads: A XMRig/Monero CPU cryptominer and Metasploit code used to establish a reverse shell. The .WAV files are coupled one of three different loader components for decoding and executing the malware, according to BlackBerry Cylance threat researchers.
Users are likely none the wiser: When played, the WAV files either produce music that has no discernible quality issues or glitches, or, in some simply, generate static white noise.
This suggests “a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network,” the researchers noted in an analysis released on Wednesday.
The .WAV files can be delivered in any number of ways, ranging from spam or targeted emails to downloads from the web masquerading as pirated content.
Delving deeper into the obfuscated code, the loaders come in three different flavors, according to the analysis: Those using Least Significant Bit (LSB) steganography to decode and execute a PE file; those that employ a rand()-based decoding algorithm to decode and execute a PE file; and those that employ rand()-based decoding algorithm to decode and execute shellcode.
“These techniques demonstrate that executable content could theoretically be hidden within any file type, provided the attacker does not corrupt the structure and processing of the container format,” the researchers explained in a posting on Wednesday. “Adopting this strategy introduces an additional layer of obfuscation because the underlying code is only revealed in memory, making detection more challenging.”
The first category of loaders employs steganography to extract executable XMRig content from a WAV file. Steganography is the practice of concealing a file or message within an image or audio file. The Least Significant Bit (LSB) technique specifically is where the right-most bit of an individual byte contains the data of interest, according to BlackBerry Cylance. This includes hardcoded strings that specify the filename to load (“Song.wav”) and, once decoded, the exported function to execute (“Start”) the miner.
The second category of loader uses a rand()-based decoding algorithm to hide the XMRig Monero CPU miner. Unlike the first WAV file discussed, this audio file has legitimate headers but no music when played – the audio sounds like white noise, according to the researchers.
The attacker must use a command line (<Loader EXE> <WAV File> <Decoded PE File Entry Point>) to use this technique, researchers said. When executing the loader with the above WAV file, the loader will read the file, extract a DLL in memory, and attempt to execute the specified entry point.
As for the Rand()-based Shellcode Loader, a different command line must be used (<Loader EXE> <WAV File>), but no entry point is necessary, researchers said. Upon execution, this loader opens a compatible WAV file, reads its data, decodes its contents, and launches a reverse shell to a specified IP address.
Here too, the audio files paired with this loader only contain white noise with no musical content.
The use of the three different loaders and two payloads indicates a level of innovation that’s notable, according to researchers.
“Attackers are creative in their approach to executing code, including the use of multiple files of different file formats,” according to the analysis. “The malware authors used a combination of steganography and other encoding techniques to deobfuscate and execute code. These strategies allowed attackers to conceal their executable content, making detection a challenging task. In this case, attackers employed obfuscation to both perform cryptomining activities and establish a reverse connection for command-and-control.”
As for attribution, there are similarities between these methods and known threat actor approaches – the steganography LBS technique was first identified in June being used by the Turla APT, for instance. However, this could be a false-flag effort to avoid direct attribution, researchers said.
“These similarities may point to a relationship between the attacks, though definitive attribution is challenging because different threat actors may use similar tools,” according to the research. “Also, our analysis focuses primarily on loaders, which are an initial stage of execution used to launch additional code. Different threat actors may use the same publicly available loader to execute unrelated second-stage malware.”
This posting was updated at 3:45 p.m. ET on Oct. 28, to clarify that the loaders content is not included in the infected audio files, and loaders aren’t audio files but .exes. Only the payloads are hidden in the WAV files. A loader can be used to extract the payloads from a multitude of WAV files given the method of hiding the payload content remains the same.