Hackers are evolving with time. They are finding new ways to inject malware into systems. A recent finding by Blackberry Cylance in its malware campaign, reveals that hackers are using WAV audio files in order to hide malicious codes which is a typical example of steganography.
For your information, Steganography is a technique used by hackers to hide malwares in a file that looks normal outside but carries a malicious code inside. With the help of these files, hackers easily bypass the security firewall of the system. In the past, hackers usually use to target executable and image file formats.
But in the discovery of malware by Blackberry Cylance, cyber attackers are making use of WAV audio files to hide the malware called XMRrig. According to the report of Cylance, WAV files inject a loader component that is intended for decoding and executing commands for malicious codes to act.
Security researchers later found out that Metasploit and XMRrig payloads make the victim’s computer available for crypto mining. Through this victim’s computers become vulnerable to threats.
Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance told that “this is the first incident where hackers have made use of mining malware using Steganography. However, the use of audio files is not the first time by hackers. The use of audio files for concealing malware was also attempted before.”
“Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file’s audio data,” says the report. “When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise).”
The researchers further explained that “provided the attacker does not corrupt the structure and processing of the container format. Adopting this strategy introduces an additional layer of obfuscation because the underlying code is only revealed in memory, making detection more challenging”
In June this year, such malware was noticed for the first time when Turla, a Russian cyber-espionage group, was using WAV files to inject malware from their servers to computers. Turla was also responsible for modifying Chrome & Firefox to track TLS web traffic.
Where incidents of Steganography has observed many times before with image formats like PNG and JPEG, this is the first time when Steganography is used to evade anti-malware detection.
According to Cylance, Attributing this month’s attacks to the Turla threat group is difficult since any threat actor could use similar malicious tools and TTPs.
Cyber experts have suggested that it is a tough task to eradicate Steganography completely. Users should, therefore, stay alert and careful while downloading any audio files from insecure websites.
