Malicious code hiding in WAV audio can mine crypto

Getting your Trinity Audio player ready...

Security researchers have discovered a new campaign by cybercriminals that’s hiding cryptojacking malware in WAV audio files. This comes just days after the first cryptojacking worm, known as Graboid, was discovered by another group of security experts, indicating just how rapidly the tactics are shifting. In this new campaign, the criminals were reportedly weaving in a loader component for decoding and executing malicious content throughout the file’s audio data.

This new campaign was discovered by Cylance, a California-based subsidiary of BlackBerry that develops antivirus programs. In a blog post, the researchers revealed that some of the WAV files contain code associated with the XMRig Monero CPU miner. Others contained Metasploit code used to establish a reverse shell, effectively giving the attackers unrestricted access to their victim’s machine.

The researchers stated, “Both payloads were discovered in the same environment, suggesting a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network.”

What makes the attack very difficult to detect is that embedding the malware has no effect on the quality of the files.

“When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise),” the report stated.

Even more significantly, this type of attack proves that cybercriminals can hide malware into any type of file, the researchers noted. The report noted, “These techniques demonstrate that executable content could theoretically be hidden within any file type, provided the attacker does not corrupt the structure and processing of the container format. Adopting this strategy introduces an additional layer of obfuscation because the underlying code is only revealed in memory, making detection more challenging.”

The practice of hiding malware in plain sight isn’t a new concept. However, this marks the first time that audio files have been used to spread crypto mining malware, proving just how popular cryptojacking has become.

The report concluded, “Analysis revealed that the malware authors used a combination of steganography and other encoding techniques to deobfuscate and execute code. These strategies allowed attackers to conceal their executable content, making detection a challenging task.”

As CoinGeek recently reported, security researchers from Palo Alto Networks’ Unit 42 recently discovered a new cryptojacking worm which they named Graboid. Thought to be the first of its kind, the worm uses its hosts to mine Monero while spreading to other systems.