Malware creators are using WAV audio files to hide malicious code.
Steganography – the art of hiding information within another file – has been used for years by malicious parties, but has usually been executed using image files.
Two reports over the past few months have shown that the practice has now extended to WAV audio files.
The first report was published in June by Symantec, where researchers claimed they had discovered that Russian group Waterbug was hiding malicious code in WAV files to transfer this code from its server to victims.
A second report by BlackBerry Cylance reports similar findings; however, it claims that WAV steganography is now being used by smaller operations for cryptocurrency mining.
One such case saw a malware operation hiding DLL files inside WAV audio files, which would be extracted and run by already-present malware on the victim’s computer.
This allows the malicious party to install cryptocurrency mining software called XMRig on the victim’s computer.
Sophisticated crypto scams
According to Josh Lemos, VP of Research and Intelligence at Blackberry Cylance, this exploit was being implemented both on Windows desktop and server instances.
Lemos claimed that this appears to be the first time steganography has been used to install crypto-mining software, and believes this shows that crypto-mining malware authors are becoming increasingly sophisticated.
“The use of stego techniques requires an in-depth understanding of the target file format,” Lemos said.
“It is generally used by sophisticated threat actors that want to remain undetected for a long period of time.”