WAV audio files filled with the malicious Monero miner and backdoors

A malicious code with Monero cryptominers and backdoors is found hidden in WAV audio files

Monero mining malware dropped via WAV audio filesMalware campaigns abusing WAV files got discovered dropping XMRig Monero miner and backdoors. As BlackBerry Cylance threat researchers note, they discovered a new malicious campaign that is using WAV audio files to hide and drop backdoors and cryptominers on targeted systems.[1] As the report claims, WAV files are used to hide additional loader component that decodes and executes the malicious script once the audio file is on the system.

To prevent the detection of anti-malware, hackers used steganography method which has mainly been employed in file formats like PNG or JPEG.[2].

The cryptomining application that has been spread appears to be the XMRig Monero miner.[3] However, some of the payloads also included Metasploit that allows establishing command and control reverse connection:

Both payloads were discovered in the same environment, suggesting a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network.

The audio file wasn't damaged and played music with no quality issues, so the victim was almost completely incapable of noticing the difference.

Not the first time WAV audio files in use

This is not the first steganography-based campaign which is used to inject cryptominers on the targeted machine. However, previously hackers have been relying on audio files to conceal malware without being noticed.[4]

Initial reports about malicious actors and WAV files started surfacing back in June when the Russian group known as Waterbug used such format to hide the malicious code from their server. Another report about such a malware campaign came up in October when BlackBerry Cylance reported similar incidents to those Symantec analyzed before.[5]

Steganography loader allows an attacker to execute the code from a safe-looking format

Previously known as a way to abuse image files, this new malware campaign shows that malicious code can be executed and hidden within any file type. There is no need to corrupt the format or process, so the underlying code is only revealed in the memory. This strategy makes the detection of malware more difficult.

Researchers state that the development of this technique takes time and requires a proper understanding of the file format. Malicious actors that use this method, in most cases, are sophisticated and want to remain undetected for an extended period. Unfortunately, steganography can be used with any file format because the attacker can adhere code to the structure of the targeted file without breaking the integrity of it.

However, there is no proper way to defend against this method because companies would block downloads of various popular formats while trying to avoid the infection.[6] This would interfere with the regular usage of the internet and internal networks.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions