loader gif

Musical Malware: How Attackers Are Spreading Malicious WAV Audio Files?

Musical Malware: How Attackers Are Spreading Malicious WAV Audio Files?
  • A new attack campaign that hides malicious code in WAV files has been discovered by researchers.
  • Some of the infected WAV files played music without any glitches, while others generated white noise.

The WAV files were observed to have a loader component for decoding and the malware was seen throughout the audio data. These files can be delivered through spam emails, or web downloads pretending to be pirated content.

Analyzing the campaign

The campaign delivered two payloads, XMRig Monero CPU miner and a Metasploit code to establish a reverse shell.

  • The discovery of both these payloads in the same environment may hint at financial gain and remote access in the victim’s network.
  • This campaign employs steganography, the process of hiding a file in another file to avoid detection. The malicious code is hidden in the audio file using the Least Significant Bit (LSB) technique.
  • The use of steganography and other encoding techniques in this campaign make it hard to detect.
  • The analysis shows that the loaders used are be of three different types—one that employs Least Significant Bit (LSB) steganography to decode and execute a PE file, one that employs rand()-based decoding algorithm to decode and execute a PE file, and one that employs rand()-based decoding algorithm to decode and execute shellcode.
  • The use of these three loaders and two payloads indicates a high level of innovation in this attack campaign.

“Each approach allows the attacker to execute code from an otherwise benign file format. These techniques demonstrate that executable content could theoretically be hidden within any file type, provided the attacker does not corrupt the structure and processing of the container format,” say the researchers.

Attribution

The researchers found similarities between these attacks and those of the Waterbug/Turla threat actor. However, there is the possibility of different threat actors using the same publicly available loader. It could also be an effort to avoid direct attribution according to the researchers.

loader gif