silversurfer

Level 53
Verified
Trusted
Content Creator
Malware Hunter
Audio .WAV files are the latest hiding place for obfuscated malicious code; a campaign has been spotted in which malicious content was secretly woven throughout the file’s audio data.
The embedded code consists of one of three different loader components for decoding and executing malware, according to BlackBerry Cylance threat researchers. Users are likely none the wiser: When played, the WAV files either produce music that has no discernible quality issues or glitches, or, in some simply, generate static white noise.
Two payloads were found being delivered in the campaign: A XMRig/Monero CPU cryptominer and Metasploit code used to establish a reverse shell.
This suggests “a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network,” the researchers noted in an analysis released on Wednesday.
The .WAV files can be delivered in any number of ways, ranging from spam or targeted emails to downloads from the web masquerading as pirated content.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
The payload can be hidden in any file. The only thing that is required is the loader that can read the proper part of the file, decrypt (deobfuscate) the malicious code, and execute it. The loader does not do anything malicious. The malicious code that is hidden in the file as encrypted (obfuscated) sequence of bytes is hard to detect. So, if the loader is new, then such malware will hardly be detected by pre-execution methods. The malware can be detected by post-execution behavior. The proper classification usually requires analyzing the sample by detonating it in the sandbox. This can take some time (from several minutes to some hours).