Security researchers have discovered a malware campaign that uses seemingly innocent audio files to deliver malicious code and cryptocurrency miners. WAV files with the malware hidden in them using steganography played as normal, giving no indication that there was anything wrong with them.
The malware-riddled files are sent out to victims via email, and once played will install and run a mining tool for the Monero cryptocurrency. In other cases, Metasploit code was used to open up a computer to remote attack.
Researchers Anuj Soni, Jordan Barth and Brian Marks from BlackBerry Cylance are the trio who made the discovery. "Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file's audio data," they explained. "When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise).
"Our analysis reveals some of the WAV files contain code associated with the XMRig Monero CPU miner. Others included Metasploit code used to establish a reverse shell. Both payloads were discovered in the same environment, suggesting a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network".
Hiding in the music
The encoding and obfuscations used to encode the malware into the audio files makes it very difficult to detect. While the examples discovered by BlackBerry Cylance researchers made use of audio files, they warn that the same techniques could be used to hide malware in any type of file.
A detailed write-up of how the attack works can be found on the Threat Vector website.