Attackers have embedded crypto-mining and Metasploit code into WAV audio files to stymie threat detection solutions.
“All WAV files discovered adhere to the format of a legitimate WAV file (i.e., they are all playable by a standard audio player),” Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance, told Help Net Security.
“One WAV file contained music with no indication of distortion or corruption and the others contained white noise. One of the WAV files contained Meterpreter to establish a reverse-shell to have remote access into the infected machine. The other WAV files contain the XMRig Monero crypto-miner.”
A clever tactic to avoid detection
The WAV files came coupled with a loader component, which employ either steganography or an algorithm to decode and execute the malicious code woven throughout the file’s audio data.
While steganography is often used to hide data within image files, malicious executable content can, theoretically, be successfully hidden within any file type, provided the attacker does not corrupt the structure and processing of the container format.
The researchers said that both payloads were discovered in the same environment, “suggesting a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network.”
Lemos told us that the WAV files were saved to the file system but that they can’t say for sure how they got there. What they do know is that they weren’t downloaded.
“They were loaded from disk, sometimes run as a CMD argument,” he noted. “Threat Actors likely used spear-phishing techniques to gain initial access. Then, they likely installed the reverse shell (Loader and WAV with Meterpreter) to download the other loaders and WAV files.”
A reverse shell connection involves the attacker’s machine acting as a server and being reachable over the internet, and the victim’s machine acting as a client and initiating a connection to it. The researchers said that the decoded shellcode from two WAV files revealed code strikingly similar to the Metasploit reverse TCP and reverse HTTPS code.
“In both cases, the shellcode attempts a connection to the IP address 220.127.116.11. The reverse TCP connection occurs over port 3527 while the reverse HTTPS connection occurs over port 443,” they shared.
Who’s behind this?
This is not the first time that WAV files have been found carrying malicious payloads.
“Several Panda [APT] groups have used this format to hide their C2 servers details, loaders, and payloads,” Lemos noted.
Earlier this year Symantec also analyzed some payloads hidden in WAV files using steganography, believed to be used by the Turla/Waterbug espionage group.
It’s difficult to say whether this latest instance is in any way connected to those earlier ones. Given that the goal of the compromise is surreptitious crypto-mining, it seems more likely that these are actors who are simply after money. “The similarities between these methods and known threat actor TTPs may indicate an association or willingness to emulate adversary activity, perhaps to avoid direct attribution,” the researchers pointed out.