Based on two consecutive security reports released in recent months, hackers are trying to hide WAV audio files to hide malicious payload. This technique, called steganography, is a technique for hiding information in another data medium.
In the software world, steganography is also referred to as “stego” and is used to describe the process of hiding files or text in files of other formats. In fact, hackers have used steganography for more than a decade, and are usually not used to destroy or infect devices, but as a method of transfer. Steganography allows files that hide malicious code to bypass security software that whitelists non-executable file formats, such as multimedia files. Previously all instances of steganography for malware attacks have been around using image file formats such as PNG or JEPG. The novelty of the two recently released reports is that hackers started using WAV audio files and were widely used this year.
As early as June of this year, there were reports of malicious program activity hidden in WAV audio files. Symantec security researchers said they found a Russian cyber espionage organization called Waterbug (or Turla) that uses WAV files to hide malicious code from its servers and transmit it to infected victims.
BlackBerry Cylance discovered a second malware campaign this month. But while the Symantec report describes state-level cyber espionage, BlackBerry Cylance says they see WAV steganography being abused in encrypted mining malware operations. BlackBerry Cylance said that this particular threat participant is putting hidden DLLs in WAV audio files.
The WAV file loaders can be grouped into the following three categories, which we will discuss in detail:
- Loaders that employ Least Significant Bit (LSB) steganography to decode and execute a PE file.
- Loaders that employ a rand()-based decoding algorithm to decode and execute a PE file.
- Loaders that employ rand()-based decoding algorithm to decode and execute shellcode.