Malware operators using .WAV files for concealing harmful code

Over the recent months 2 reports have been published which tell about malware purveyors trying to utilize WAV audio folders for concealing harmful code. The folders carry along one loader component that deploy an algorithm alternatively steganography for decrypting as well as running the code entwined all through audio data inside the folders.

Incidentally, steganography is usually employed for concealing data inside image folders. Conversely, malevolent executable codes can, at least in theory, be effectively concealed inside all types of files, but for that the attacker mustn't damage the container form's structure or processing. www.helpnetsecurity.com posted this, October 16, 2019.

During June this year, the foremost of the 2 malware reports both discussing the abuse of WAV folders was published. According to security researchers at Symantec, they identified one cyber-espionage gang in Russia which was called Waterbug (another name Turla) that utilized WAV audio files for concealing destructive code while transmitting it onto infected devices from the gang's server.

The 2nd malware report came out this October, and the discoverer of the attack is BlackBerry Cylance. According to Cylance, its observation somewhat matches with Symantec's observation of June.

Meanwhile, whilst Symantec's report enumerates certain cyber-espionage campaign receiving state backing, Cylance's report tells about observing WAV steganography methodology getting exploited within one crypto-mining malware scheme. It seems cyber attackers are now innovative in their strategy of code execution, even in the utilization of more than one file.

As per threat researchers from BlackBerry Cylance, the implanted malicious code contains a loader component from 3 different ones that helps to decrypt malware as well as execute it. End-users are possibly no wiser: the WAV audio folders, when played, either produce glitches-free else quality issues-free music, or just give out fixed white noise.

The campaign delivers 2 payloads: A Metasploit code employed for setting one reverse shell and one CPU cryptominer namely XMRig/Monero. The indication is that the campaign is two-pronged in releasing malware to make monetary gains as also enabling remote access across infected network of the victim.

Delivery of .WAV files takes place variedly, from bulk e-mails else personalized e-mails to pirated content masquerading downloads.

» SPAMfighter News - 10/22/2019