WAV audio files are now being used to hide malicious code

Steganography malware trend moving from PNG and JPG to WAV files.
Written by Catalin Cimpanu, Contributor

Two reports published in the last few months show that malware operators are experimenting with using WAV audio files to hide malicious code.

The technique is known as steganography -- the art of hiding information in plain sight, in another data medium.

In the software field, steganography -- also referred to as stego -- is used to describe the process of hiding files or text in another file, of a different format. For example, hiding plain text inside an image's binary format.

Using steganography has been popular with malware operators for more than a decade. Malware authors don't use steganography to breach or infect systems, but rather as a transfer method. Steganography allows files hiding malicious code to bypass security software that whitelists non-executable file formats (such as multimedia files).

All previous instances where malware used steganography revolved around using image file formats, such as PNG or JEPG.

The novelty in the two recently-published reports is the use of WAV audio files, not seen abused in malware operations until this year.

The two reports

The first of these two new malware campaigns abusing WAV files was reported back in June. Symantec security researchers said they spotted a Russian cyber-espionage group known as Waterbug (or Turla) using WAV files to hide and transfer malicious code from their server to already-infected victims.

The second malware campaign was spotted this month by BlackBerry Cylance. In a report published today and shared with ZDNet last week, Cylance said it saw something similar to what Symantec saw a few months before.

But while the Symantec report described a nation-state cyber-espionage operation, Cylance said they saw the WAV steganography technique being abused in a run-of-the-mill crypto-mining malware operation.

Cylance said this particular threat actor was hiding DLLs inside WAV audio files. Malware already-present on the infected host would download and read the WAV file, extract the DLL bit by bit, and then run it, installing a cryptocurrency miner application named XMRrig.

Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance, told ZDNet in an email yesterday that this malware strain using WAV steganography was spotted on both Windows desktop and server instances.

The commoditization of steganography

Furthermore, Lemos also told us that this also appears to be the first time a crypto-mining malware strain was seen using abused steganography, regardless if it was a PNG, JPEG, or WAV file.

This shows that your mundane crypto-mining malware authors are growing in sophistication, as they learn from other operations.

"The use of stego techniques requires an in-depth understanding of the target file format," Lemos told ZDNet. "It is generally used by sophisticated threat actors that want to remain undetected for a long period of time.

"Developing a stego technique takes time, and several blogs have detailed how threat actors such as OceanLotus or Turla implemented payload hiding," Lemos added.

"These publications make it possible for other threat actors to grasp the technique and use it as they see fit."

In other words, the act of documenting and studying steganography comes with a snowball effect that also commoditizes the technique for lower-skilled malware operations.

But while Symantec and Cylance's work on documenting WAV-based steganography might help other malware operators, WAV, PNG, and JPG files aren't the only file formats that can be abused.

"Stego can be used with any file format as long as the attacker adheres to the structure and constraints of the format so that any modifications performed on the targeted file do not break its integrity," Lemos told.

In other words, defending against steganography by blocking vulnerable file formats is not the correct solution, as companies would end up blocking the downloading of many popular formats, like JPEG, PNG, BMP, WAV, GIF, WebP, TIFF, and loads more; wreaking havoc in internal networks and making it impossible to navigate the modern internet.

A proper way of dealing with steganography is... not dealing with it at all. Since stego is only used as a data transfer method, companies should be focusing on detecting the point of entry/infection of the malware that abuses stegonagraphy, or the execution of the unauthorized code spawned by the stego-laced files.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards