• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

WAV audio files are now being used to hide malicious code

Joined
Jan 5, 2006
Messages
9,933 (1.96/day)
System Name Desktop / Laptop
Processor Intel i7 6700K @ 4.3GHz (1.180 V) / Intel i3 7100U
Motherboard Asus Z170 Pro Gaming / HP 83A3 (U3E1)
Cooling Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut + 5 case fans / Fan
Memory 16GB DDR4 Corsair Vengeance LPX 3000MHz CL15 / 8GB DDR4 HyperX CL13
Video Card(s) MSI RTX 2070 Super Gaming X Trio / Intel HD620
Storage Samsung 970 Evo 500GB + Samsung 850 Pro 512GB + Samsung 860 Evo 1TB / Samsung 256GB M.2 SSD
Display(s) 23.8" Dell S2417DG 165Hz G-Sync 1440p + 21.5" LG 22MP67VQ IPS 60Hz 1080p / 14" 1080p IPS Glossy
Case Be quiet! Silent Base 600 - Window / HP Pavilion
Audio Device(s) SupremeFX Onboard / Realtek onboard + B&O speaker system
Power Supply Seasonic Focus Plus Gold 750W / Powerbrick
Mouse Logitech MX Anywhere 2 Laser wireless / Logitech M330 wireless
Keyboard RAPOO E9270P Black 5GHz wireless / HP backlit
Software Windows 10 / Windows 10
Steganography malware trend moving from PNG and JPG to WAV files.

Capture.PNG


Two reports published in the last few months show that malware operators are experimenting with using WAV audio files to hide malicious code.

The technique is known as steganography -- the art of hiding information in plain sight, in another data medium.

In the software field, steganography -- also referred to as stego -- is used to describe the process of hiding files or text in another file, of a different format. For example, hiding plain text inside an image's binary format.

Using steganography has been popular with malware operators for more than a decade. Malware authors don't use steganography to breach or infect systems, but rather as a transfer method. Steganography allows files hiding malicious code to bypass security software that whitelists non-executable file formats (such as multimedia files).

All previous instances where malware used steganography revolved around using image file formats, such as PNG or JEPG.

The novelty in the two recently-published reports is the use of WAV audio files, not seen abused in malware operations until this year.

THE TWO REPORTS
The first of these two new malware campaigns abusing WAV files was reported back in June. Symantec security researchers said they spotted a Russian cyber-espionage group known as Waterbug (or Turla) using WAV files to hide and transfer malicious code from their server to already-infected victims.


The second malware campaign was spotted this month by BlackBerry Cylance. In a report published today and shared with ZDNet last week, Cylance said it saw something similar to what Symantec saw a few months before.

But while the Symantec report described a nation-state cyber-espionage operation, Cylance said they saw the WAV steganography technique being abused in a run-of-the-mill crypto-mining malware operation.

Cylance said this particular threat actor was hiding DLLs inside WAV audio files. Malware already-present on the infected host would download and read the WAV file, extract the DLL bit by bit, and then run it, installing a cryptocurrency miner application named XMRrig.

Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance, told ZDNet in an email yesterday that this malware strain using WAV steganography was spotted on both Windows desktop and server instances.

THE COMMODITIZATION OF STEGANOGRAPHY
Furthermore, Lemos also told us that this also appears to be the first time a crypto-mining malware strain was seen using abused steganography, regardless if it was a PNG, JPEG, or WAV file.

This shows that your mundane crypto-mining malware authors are growing in sophistication, as they learn from other operations.

"The use of stego techniques requires an in-depth understanding of the target file format," Lemos told ZDNet. "It is generally used by sophisticated threat actors that want to remain undetected for a long period of time.

"Developing a stego technique takes time, and several blogs have detailed how threat actors such as OceanLotus or Turla implemented payload hiding," Lemos added.

"These publications make it possible for other threat actors to grasp the technique and use it as they see fit."

In other words, the act of documenting and studying steganography comes with a snowball effect that also commoditizes the technique for lower-skilled malware operations.

But while Symantec and Cylance's work on documenting WAV-based steganography might help other malware operators, WAV, PNG, and JPG files aren't the only file formats that can be abused.

"Stego can be used with any file format as long as the attacker adheres to the structure and constraints of the format so that any modifications performed on the targeted file do not break its integrity," Lemos told.

In other words, defending against steganography by blocking vulnerable file formats is not the correct solution, as companies would end up blocking the downloading of many popular formats, like JPEG, PNG, BMP, WAV, GIF, WebP, TIFF, and loads more; wreaking havoc in internal networks and making it impossible to navigate the modern internet.

A proper way of dealing with steganography is... not dealing with it at all. Since stego is only used as a data transfer method, companies should be focusing on detecting the point of entry/infection of the malware that abuses stegonagraphy, or the execution of the unauthorized code spawned by the stego-laced files.


 

Aquinus

Resident Wat-man
Joined
Jan 28, 2012
Messages
11,459 (4.02/day)
Location
Concord, NH
System Name Kratos
Processor Intel Core i7 3930k @ 4.75Ghz
Motherboard ASUS P9X79 Deluxe
Cooling Corsair H100i V2
Memory G.Skill DDR3-2133, 16gb (4x4gb) @ 9-11-10-28-108-1T 1.65v
Video Card(s) Sapphire AMD Radeon RX Vega 64
Storage 2x120Gb SATA3 SSD Raid-0, 4x1Tb RAID-5, 1x500GB, 1x512GB Samsung 960 Pro NVMe
Display(s) 1x LG 27UD69P (4k), 2x Dell S2340M (1080p)
Case Antec 1200
Audio Device(s) Onboard Realtek® ALC898 8-Channel High Definition Audio
Power Supply Seasonic 1000-watt 80 PLUS Platinum
Mouse Logitech G602
Keyboard Rosewill RK-9100
Software Ubuntu 18.04 (5.3.0 Mainline Kernel)
Benchmark Scores Benchmarks aren't everything.
You still need an application that knows how to decode this stuff in these files which means the malware has to end up on the box as a binary and not as some weird bit of embedded data in a file. Embedding code into a WAV doesn't make it executable like @W1zzard said, so you still need another piece of software that will take that "malicious code" and execute it which still leaves you in the same position you were in without encoding data into another non-executable format; getting a binary or arbitrary code to run on the target machine.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
19,791 (3.49/day)
Processor Core i7-4790K
Memory 16 GB
Video Card(s) GTX 1080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 7
Could be a lost in translation thing though, in German "code" [encryption] == "encoded data / encoding"
 
Joined
Jul 25, 2006
Messages
6,072 (1.25/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 16GB (2 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Microsoft Wireless 5000
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
Is this really a "new" threat?
 
Joined
Aug 20, 2007
Messages
11,917 (2.66/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 13-13-13-33-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage Seagate Enterprise Capacity 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) Onboard TOSLINK to Schiit Modi MB to Schiit Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply EVGA SuperNova T2 850W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
Is this really a "new" threat?
Sort of? It's just a new way to hide managing viral code from researchers and hosts.

Didn't work for long though obviously. My immediate question with something like this is "how long did they do it unnoticed?"
 
Joined
Jul 25, 2006
Messages
6,072 (1.25/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 16GB (2 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Microsoft Wireless 5000
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
My immediate question with something like this is "how long did they do it unnoticed?"
I just remember hearing about steganography being used to hide and distribute malware several years ago in image files. It just seems odd to me that using .wav files would be something "new".

But yeah, I agree. "How long did they do it unnoticed?" is a concern.

But to me, the greater question is, "How long have researchers known about it before they decided to report it?" I note what irritates me almost more than hackers stealing our personal information is it may be months after the company discovered the hack before they let their customers know their information was stolen. :mad: :mad: :banghead:

No as far as i remember there was a Spate of WMF files containing malicious code years ago (favorite type of file was porn and they hijacked your Browser).
Yeah, that sound familiar too.
 
Joined
Aug 20, 2007
Messages
11,917 (2.66/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 13-13-13-33-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage Seagate Enterprise Capacity 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) Onboard TOSLINK to Schiit Modi MB to Schiit Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply EVGA SuperNova T2 850W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
Yeah, that sound familiar too.
Different than this though. This is control code hosted online in innocent looking files. You don't just get infected by opening a .wav in this case. If you didn't have recieving malware looking for whatever on your end, it'd play as an innocent .wav and nothing would happen.

Most likely, I'd guess they hid it by doing some clever bit modulation/demodulation in the sound file as... sound. You could basically be a pretend analog modem bitstream playing back in a wave file and download a virus to a quite literally "listening" program... it'd be bizzare but it'd work. It'd even be faster than 56K by virtue of fidelty. It'd sound like the old dial up days to anyone who played it.

Heck, now that I've described it, I kinda wanna try this now. It's really clever. Useless for anything but hiding stuff, and of course being used completely unethically here, but clever all the same.

It reminds me of a program I wrote for DVHS VCR's many moons ago, that backed up data to VHS tapes via firewire. Stored around 20GBs per 120 minute tape in straight video MPEG-bit->Video modulation (and yes, it took 120mins, so a little less than 3MB/s bitrate) . Useless now, but pretty cool then. The tape also had to be SVHS or better though (expensive), so probably was always useless really.

I just wish clever things weren't thought up by bad guys. That always irritates me. Why couldn't *I* have thought of this, first?

I totally want to make this just so when the FBI finally gets around to investigating me for frog-related treason, they find my secret encrypted audio files, "cooerce" the key out me, study the suspicious modem static under intense science, only to discover my modulation scheme and decode a picture of an innocent giraffe doing fun innocent giraffe things.

At that point, they'd realize how useless I really am, and probably let me go before they found the frogbomb.

Rejoice, all ye faithful.

EDIT: Ok, maybe I got a bit carried away there. Humor me I've had a bad day. There is no frogbomb... or not yet, anyways. Pray it never comes to that.
 
Last edited:
Joined
Feb 3, 2019
Messages
492 (1.70/day)
Location
Chicago Land
Processor 2700X @ x4 4400Mhz
Motherboard Asus B450-I Gaming
Cooling Stock Air
Memory Corsair 3000nhz 13-15-15-15-32-53 2T
Video Card(s) Asus strix GTX 980 OC
Storage SSD
Display(s) 21" - 55"
Case None
Power Supply Antec CP series 850w
Mouse Razar Mamba Tournament Edition
Keyboard Logitech G910
Software W7
Benchmark Scores Max Cpu clock 7685Mhz FX-8300 WPrime 32m 2.886 seconds AMD 2700x
Hmm. updated Malwarebytes. All good now, no worries.... lol.
 
Joined
Jul 25, 2006
Messages
6,072 (1.25/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 16GB (2 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Microsoft Wireless 5000
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
That's good but me? I wasn't worried before this news.
 

Easy Rhino

Linux Advocate
Staff member
Joined
Nov 13, 2006
Messages
14,777 (3.11/day)
Location
Mid-Atlantic
System Name Desktop
Processor i5 7500 Kaby Lake
Motherboard AsRock MicroATX Z170M Extreme4
Cooling Stock
Memory 2x 8G Gskill Aegis DDR4 2400
Video Card(s) AMD Radeon 5700
Storage Samsung NVMe 512
Display(s) LG 34GK950F-B 34" 21:9 Ultragear WQHD Nano IPS Curved Gaming Monitor with Radeon FreeSync 2
Case Corsair Carbide 400C
Audio Device(s) On Board
Power Supply Seasonic SSR-650GD Flagship Prime Series 650W Gold
Mouse Logitech G900 Chaos Spectrum
Keyboard Code V2B
Software Windows 10
I knew that Dave Mathews CD was spying on me!
 
Joined
Oct 17, 2014
Messages
3,858 (2.08/day)
Location
USA
System Name Paladius Tacet ($789 total)
Processor Ryzen 3600 @ 4.10 all core 1.30v ($162)
Motherboard MSI B450 Gaming Plus MAX ($99)
Cooling Noctua NH-D14 (re-use)
Memory G.Skill 2x8GB (16GB) 3800 CAS 16-17-16-32 FCLK @ 1900 @ 1.45v ($108)
Video Card(s) EVGA GTX 1080 Ti SC ($410)
Storage 860 Evo 2TB SSD (re-use)
Display(s) X-Star 27" 2560x1440 @ 110hz (re-use)
Case Corsair 110Q Silent (graduation gift)
Power Supply EVGA 700w GD 80+ GOLD (graduation gift)
good thing I only use .flac

Hmm. updated Malwarebytes. All good now, no worries.... lol.
yep i have a lifetime license for malwarebytes. its good stuff.
 
Joined
Aug 20, 2007
Messages
11,917 (2.66/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 13-13-13-33-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage Seagate Enterprise Capacity 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) Onboard TOSLINK to Schiit Modi MB to Schiit Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply EVGA SuperNova T2 850W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
good thing I only use .flac
You wouldn't be the one opening the wav. It's for remote command execution. You'd have to already have malware on your machine to have it even look up a innocent looking (to hosts) wav file to ask for botnet commands.

yep i have a lifetime license for malwarebytes. its good stuff.
Still, if you got this, I think you got a handle on it.
 
Joined
Oct 17, 2014
Messages
3,858 (2.08/day)
Location
USA
System Name Paladius Tacet ($789 total)
Processor Ryzen 3600 @ 4.10 all core 1.30v ($162)
Motherboard MSI B450 Gaming Plus MAX ($99)
Cooling Noctua NH-D14 (re-use)
Memory G.Skill 2x8GB (16GB) 3800 CAS 16-17-16-32 FCLK @ 1900 @ 1.45v ($108)
Video Card(s) EVGA GTX 1080 Ti SC ($410)
Storage 860 Evo 2TB SSD (re-use)
Display(s) X-Star 27" 2560x1440 @ 110hz (re-use)
Case Corsair 110Q Silent (graduation gift)
Power Supply EVGA 700w GD 80+ GOLD (graduation gift)
You wouldn't be the one opening the wav. It's for remote command execution. You'd have to already have malware on your machine to have it even look up a innocent looking (to hosts) wav file to ask for botnet commands.
Still, if you got this, I think you got a handle on it.
ah ok. yeah and I have also TinyWall as my firewall set to max mode, so anything trying to connect to the internet requires permission. so even if malwarebytes fails, it will have a hard time getting around that I think.
 
Joined
Oct 5, 2017
Messages
454 (0.59/day)
I knew that Dave Mathews CD was spying on me!
It actually is... or was, if you bought it in 2004/5 -

Sony also uses SunnComm MediaMax DRM software on some of its releases, including the Foo Fighters and the Dave Matthews Band. MediaMax does not conceal itself with a rootkit, but one researcher has concluded “it does behave in several ways that are characteristic of spyware” by: installing software without meaningful consent or notification; including either no means of uninstalling the software or an uninstaller that claims to remove the entire program but does not; and transmitting information about user activities to SunnComm despite statements to the contrary in the end user license agreement (EULA) and on SunnComm’s web site. The researcher noted that when a MediaMax-protected CD is inserted into a computer running Windows, the program displays an EULA, but that before the EULA appears MediaMax installs around a dozen files of over 12 MB in size. Finally, researchers have warned that the web-based XCP uninstaller offered by Sony represents a “far greater security risk than even the original Sony rootkit.”
 
Top