.WAVs Hide Malware in Their Depths in Innovative Campaign

.wav malware hiding

Two different payloads are hiding in audio files, each paired with one of three loaders.

UPDATE

Audio .WAV files are the latest hiding place for obfuscated malicious code; a campaign has been spotted in which malicious content was secretly woven throughout the file’s audio data.

The embedded code consists of two different payloads: A XMRig/Monero CPU cryptominer and Metasploit code used to establish a reverse shell. The .WAV files are coupled one of three different loader components for decoding and executing the malware, according to BlackBerry Cylance threat researchers.

Users are likely none the wiser: When played, the WAV files either produce music that has no discernible quality issues or glitches, or, in some simply, generate static white noise.

This suggests “a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network,” the researchers noted in an analysis released on Wednesday.

The .WAV files can be delivered in any number of ways, ranging from spam or targeted emails to downloads from the web masquerading as pirated content.

Delving deeper into the obfuscated code, the loaders come in three different flavors, according to the analysis: Those using Least Significant Bit (LSB) steganography to decode and execute a PE file; those that employ a rand()-based decoding algorithm to decode and execute a PE file; and those that employ rand()-based decoding algorithm to decode and execute shellcode.

“These techniques demonstrate that executable content could theoretically be hidden within any file type, provided the attacker does not corrupt the structure and processing of the container format,” the researchers explained in a posting on Wednesday. “Adopting this strategy introduces an additional layer of obfuscation because the underlying code is only revealed in memory, making detection more challenging.”

The first category of loaders employs steganography to extract executable XMRig content from a WAV file. Steganography is the practice of concealing a file or message within an image or audio file. The Least Significant Bit (LSB) technique specifically is where the right-most bit of an individual byte contains the data of interest, according to BlackBerry Cylance. This includes hardcoded strings that specify the filename to load (“Song.wav”) and, once decoded, the exported function to execute (“Start”) the miner.

The second category of loader uses a rand()-based decoding algorithm to hide the XMRig Monero CPU miner. Unlike the first WAV file discussed, this audio file has legitimate headers but no music when played – the audio sounds like white noise, according to the researchers.

The attacker must use a command line (<Loader EXE> <WAV File> <Decoded PE File Entry Point>) to use this technique, researchers said. When executing the loader with the above WAV file, the loader will read the file, extract a DLL in memory, and attempt to execute the specified entry point.

As for the Rand()-based Shellcode Loader, a different command line must be used (<Loader EXE> <WAV File>), but no entry point is necessary, researchers said. Upon execution, this loader opens a compatible WAV file, reads its data, decodes its contents, and launches a reverse shell to a specified IP address.

Here too, the audio files paired with this loader only contain white noise with no musical content.

The use of the three different loaders and two payloads indicates a level of innovation that’s notable, according to researchers.

“Attackers are creative in their approach to executing code, including the use of multiple files of different file formats,” according to the analysis. “The malware authors used a combination of steganography and other encoding techniques to deobfuscate and execute code. These strategies allowed attackers to conceal their executable content, making detection a challenging task. In this case, attackers employed obfuscation to both perform cryptomining activities and establish a reverse connection for command-and-control.”

As for attribution, there are similarities between these methods and known threat actor approaches – the steganography LBS technique was first identified in June being used by the Turla APT, for instance. However, this could be a false-flag effort to avoid direct attribution, researchers said.

“These similarities may point to a relationship between the attacks, though definitive attribution is challenging because different threat actors may use similar tools,” according to the research. “Also, our analysis focuses primarily on loaders, which are an initial stage of execution used to launch additional code. Different threat actors may use the same publicly available loader to execute unrelated second-stage malware.”

This posting was updated at 3:45 p.m. ET on Oct. 28, to clarify that the loaders content is not included in the infected audio files, and loaders aren’t audio files but .exes. Only the payloads are hidden in the WAV files. A loader can be used to extract the payloads from a multitude of WAV files given the method of hiding the payload content remains the same. 

Suggested articles

Discussion

  • obe on

    WOWOW! WAV files are so dangerous now! Anyone can get infected these days! Anyone who naively downloads an executable, then naively downloads a WAV file, and then naively opens the command prompt and types: "decodeWAV.exe WhateverTrashKidsListenToToday.wav 0x20FA". That's it. Game over. No one is safe.
  • Anonymous on

    WOWOW! WAV files are so dangerous now! Anyone can get infected these days! Anyone who naively downloads an executable, then naively downloads a WAV file, and then naively opens the command prompt and types: "decodeWAV.exe WhateverTrashKidsListenToToday.wav 0x20FA". That's it. Game over. No one is safe...
  • Will Rubin on

    I'm not understanding. How do these executables get run from within a .wav file? Is the implication that .wav files will run arbitrary code? That certain players will? In other words, if I download a .wav file and double click on it it opens in a player that looks for and executes code how exactly?
    • Tara Seals on

      Thanks for the questions, Will -- I'll reach out to the research firm and see if I can get answers for you.
    • Tara Seals on

      Hi there Will -- here is the answer I got from Josh Lemos, VP of Research & intelligence at BlackBerry Cylance: "Each WAV file is paired with a loader (executable PE file) that knows to extract the hidden payload from inside the media file. If the WAV files are played by a regular media player, sound or white-noise will be heard. The malicious payload will be executed only when the WAV files are leveraged by the corresponding loader executable that know how to extract the hidden payload and inject it in itself or in an existing running process."
  • Anonymous on

    Techniques to encode data in media have been used for many years so nothing new there despite the impressive sounding techniques mentioned. It would work with a jpeg or video file too. I’ve read that screener DVD’s are encoded with identifying info to prevent piracy, basically the same techniques. In order to infect, both the wav file and the loader have to be on your pc, then the loader has to be run and pointed at the wav file. Not sure how that attack vector is threatening. Am I missing something?
  • Jim Lloyd on

    So... The WAV file(s) will not actually execute from a 'standard' media player application that the average user is likely to use to play files. That is good! I am an IT person, audio enthusiast, and DJ. I was waiting for the drop on how the operating system or application would be instructed how to extract and assemble the executable... and run it. Other audio formats (and video) are prone to this exact issue, so not a dramatic news story. Now, to wait and see how long it takes for operating systems and/or anti-malware programs start adding this to their detection process. I'd expect that they already do, as long as the file extension in question is not in the exclusion list.
  • OldNavyGuy on

    My question is how do the loaders actually get on a system? Several reports use the term "embedded" in the WAV file. Cylance says "coupled" with the WAV file. One report said that malware would already need to exist before the exploit would work. It doesn't make sense that a "pre-infection" would wait around for someone to download an infected WAV file, hoping that it had the right loader already installed for that WAV file. Seems that some clarification is needed. Thanks.
    • Tara Seals on

      Thanks for the comment! I emailed the researchers with your question. Stay tuned...
    • Tara Seals on

      BlackBerry Cylance's Sam Lemos told me this: "We believe most payloads were delivered through spear-phishing. The WAV file needs to be coupled (included) with a loader which is the 1st stage malware. Each loader “knows” how to extract the 2nd stage malware from each WAV file. The “embedded” malware refers to the 2nd stage which in this case is either Metasploit reverse shell or the XMRig Monero malware. There is no exploit that is leveraged, the loader parses the corresponding WAV file and extract the payload hidden in the WAV file and injects it in the current process address space. Both the loader and the WAV file need to be present on the system in order for this to work. Hiding data in “benign” files formats is done for stealth."
  • orb on

    The loaders do not rely on a victim to download an infected wav file. The loader is responsible for initiating the download from specific servers hosting the infected wav files.
  • orb on

    re "Upon execution, this loader opens a compatible WAV file, reads its data, decodes its contents, and launches a reverse shell to a specified IP address." If the loaders are embedded within the .wav file wouldn't it just read the data, decode and launch the shell without need to open another .wav file? IOW - The quoted text indicates the need for two separate files to successfully launch the abuse. The "pairing" you refer to is that about 2 separate files that work in tandem (pairing)?
    • Tara Seals on

      Hi there -- yes, correct. Here's what BlackBerry Cylance’s Sam Lemos told me: “We believe most payloads were delivered through spear-phishing. The WAV file needs to be coupled (included) with a loader which is the 1st stage malware. Each loader “knows” how to extract the 2nd stage malware from each WAV file. The “embedded” malware refers to the 2nd stage which in this case is either Metasploit reverse shell or the XMRig Monero malware. There is no exploit that is leveraged, the loader parses the corresponding WAV file and extract the payload hidden in the WAV file and injects it in the current process address space. Both the loader and the WAV file need to be present on the system in order for this to work. Hiding data in “benign” files formats is done for stealth.”
  • OldNavyGuy on

    From the article... "The .WAV files can be delivered in any number of ways, ranging from spam or targeted emails to downloads from the web masquerading as pirated content" So that begs the question...would a victim click on an attached loader, or a WAV file, in an email.
  • orb on

    Having the victim download an archive zip, rar etc... that contains both files would be the logical way to deliver two files when only one file (the wav) is expected. Once decompressed into a folder both files would be present. Including an "about" or readme file that explains why "loader.exe" should be run before the wav file is played will snag some users.
    • OldNavyGuy on

      Possible...but seems like a lot of work to deliver an exploit. I'd be interested in what Cylance found in the spear-phishing campaigns.
  • orb on

    Your column has created confusion among people that are quoting this column as saying "Three different loaders and two payloads are hiding in audio files." Can you either confirm that as true or not true? The explanation of being "paired" has only emboldened those that are quoting you as their source of self executing malcode being present in benign file formats as being factual. Just for the sake of accuracy would you please retract "Three different loaders and two payloads are hiding in audio files."? The loaders are NOT included in the infected audio files nor are loaders audio files - they are .exe's.
    • Tara Seals on

      Thanks -- I clarified with the researchers and have updated the posting!
  • orb on

    Thank you for that but one of the commenters to this article (old navy guy) is still insisting - quoting you and posting links to this article as "proof" that the loaders are embedded within the .wav files. He is using the word "paired" to mean "embedded" which you & I know is not factual. Would you put this matter to rest and just clearly state that the loaders are NOT embedded within the .wav files?

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.