The WAV files were observed to have a loader component for decoding and the malware was seen throughout the audio data. These files can be delivered through spam emails, or web downloads pretending to be pirated content.
Analyzing the campaign
The campaign delivered two payloads, XMRig Monero CPU miner and a Metasploit code to establish a reverse shell.
“Each approach allows the attacker to execute code from an otherwise benign file format. These techniques demonstrate that executable content could theoretically be hidden within any file type, provided the attacker does not corrupt the structure and processing of the container format,” say the researchers.
The researchers found similarities between these attacks and those of the Waterbug/Turla threat actor. However, there is the possibility of different threat actors using the same publicly available loader. It could also be an effort to avoid direct attribution according to the researchers.