Security researchers have discovered a malware campaign that uses seemingly innocent audio files to spread malicious code and encrypted minors. WAV files containing the malware hidden there using steganography play normally without any indication of a problem.
Files containing malware are sent to victims by email. Once they are played, they install and run a data mining tool for the Monero cryptocurrency. In other cases, the Metasploit code was used to open a computer to remote attacks.
Researchers Anuj Soni, Jordan Barth and Brian Marks of BlackBerry Cylance are the trio that made the discovery. "Each WAV file was associated with a loader component to decode and execute malicious content that was secretly embedded in the file's audio," they explained. "When played back, some WAV files produced music with no quality issues or noticeable issues, others simply generated static (white noise).
"Our analysis reveals that some WAV files contain code associated with the XMRig Monero mining processor. Others include the Metasploit code used to build a reverse shell. The two payloads were discovered in the same environment, suggesting a double campaign to implement malware. for financial purposes to obtain and establish remote access within the victim's network. "
Hidden in the music
The encoding and obscurations used to encode the malware in audio files make it very difficult to detect. Although the examples discovered by BlackBerry Cylance researchers have used audio files, they caution that the same techniques could be used to hide malware in any type of file.
A detailed description of how the attack works is available on the Threat Vector website.