The age old technique of steganography concealing malicious code is the latest technique used by the attackers. Read on to know more…
A new attack campaign that hides malicious code in WAV files has been discovered by researchers. Some of the infected WAV files played music without any glitches, while others generated white noise. The discovery of both these payloads in the same environment may hint at financial gain and remote access in the victim’s network.
The WAV files were observed to have a loader component for decoding and the malware was seen throughout the audio data. These files can be delivered through spam emails, or web downloads pretending to be pirated content.
The first of these two new malware campaigns abusing WAV files was reported back in June. Symantec security researchers said they spotted a Russian cyber-espionage group known as Waterbug (or Turla) using WAV files to hide and transfer malicious code from their server to already-infected victims. The second malware campaign was spotted this month by BlackBerry Cylance. Cylance said it saw something similar to what Symantec saw a few months before.
While the Symantec report described a nation-state cyber-espionage operation, Cylance said they saw the WAV steganography technique being abused in a run-of-the-mill crypto-mining malware operation.
The malware campaign using WAV files delivered two payloads, XMRig Monero CPU miner and a Metasploit code to establish a reverse shell. This campaign employs steganography, the process of hiding a file in another file to avoid detection. The malicious code is hidden in the audio file using the Least Significant Bit (LSB) technique.
The use of steganography and other encoding techniques in this campaign make it hard to detect. The analysis shows that the loaders used are be of three different types—one that employs Least Significant Bit (LSB) steganography to decode and execute a PE file, one that employs rand()-based decoding algorithm to decode and execute a PE file, and one that employs rand()-based decoding algorithm to decode and execute shellcode. The use of these three loaders and two payloads indicates a high level of innovation in this attack campaign.
“Each approach allows the attacker to execute code from an otherwise benign file format. These techniques demonstrate that executable content could theoretically be hidden within any file type, provided the attacker does not corrupt the structure and processing of the container format,” say the researchers.
The researchers found similarities between these attacks and those of the Waterbug/Turla threat actor. However, there is the possibility of different threat actors using the same publicly available loader. It could also be an effort to avoid direct attribution according to the researchers.
These similarities may point to a relationship between the attacks, though definitive attribution is challenging because different threat actors may use similar tools,” according to the research. “Also, our analysis focuses primarily on loaders, which are an initial stage of execution used to launch additional code. Different threat actors may use the same publicly available loader to execute unrelated second-stage malware.”