Backdoors and Cryptominers circulating through WAV audio files

Attackers have found a new way to spread malicious campaign through WAV audio files.

These files contain backdoors and Monero cryptominers which are hidden and get dropped on the target system. Malware injection was a process which generally used JPEG or PNG image files with the help of steganography. This is the second time when payload injection is being observed using WAV audio files. Researchers have found Russian-backed Turla threat groups delivering metasploit meterpreter backdoor embedded with a WAV audio file.

Recently the same steganography method was used to infect target devices with XMRig Monero cryptominers or metasploit code designed to perfoem reverse shell. WAV files are found to be containing a loader for decoding and executing malicious content secretly. Some of these files had regular good quality music, while others had a static noise in place. Metasploit and XMRig payloads were found hitting a campaign designed to use victim’s device for cryptojacking by establishing a command and control connection.

WAV file loaders used three different methods to decode and execute malicious code. The three types included loaders that employ least significant bit, loaders that employ a rand()-based decoding algorithm to decode and execute PE file, and loaders that employ rand()-based algorithm to decode and execute shellcode. Using such techniques can allow the attacker to easily drop payloads using any file format. The above described techniques make the detection of malicious code more challenging as the code is revealed only in the memory.

As a user who can be prone to such attacks, one must be aware of the platform from which downloading of file is done. There are several websites that provide users with apps and audio files which are not secure. Such files can contain malicious codes and loaders which can lead to similar attacks compromising the target systems. Usage of proper and established platforms for file download is the best precaution a user could opt for.

Use NPAV and join us on a mission to secure the cyber world.

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *