Digital forensics specialists report a new attack method consisting of the use of WAV audio files to hide and deliver backdoors and software for the mining of the Monero cryptocurrency on infected systems.
Other variants of this method injected malware by hiding their payloads in JPEG or PNG image files using steganography, a technique widely used by threat actors to hide the malware, so it is curious that this group of hackers has chosen deliver your payloads using malicious audio files.
Last June, Digital forensics specialists at Symantec detected a cell from Turla, a group of Kremlin-backed hackers (also known as Venomous Bear or Wterburg) handing victims the payload that contained the backdoor Metasploit Meterpreter using an audio track in WAV format.
Now, researchers have discovered that an identical steganography method is used to infect devices with XMRig mining software and Metaploit reverse shell code. “These WAV format files are combined with a powerful component to decode and execute the malicious content, which is hidden among the data in the audio file”, the experts mention.
When played, a seemingly conventional music archive could be seen, while other collected samples contained only static. When thoroughly analyzed, the experts detected the payloads of Metasploit and XMRig: “Hackers were planning a cryptojacking and C&C reverse connection operation of considerable scope”, the experts add.
During the analysis, digital forensics experts found that payloads were decoded and executed in three different ways:
- Using loaders that use less significant bit (LSB) steganography to decode and run a PE file
- Loaders that use a rand-()based decoding algorithm to decode and run a PE file
- With loaders that use a rand-() based decoding algorithm to decode and run shellcode
Any of these three methods allows threat actors to successfully hide payloads within any file; they should only avoid corrupting the structure and processing of the container format. In addition, implementing this approach adds a new obfuscation layer, as the code-behind is only revealed in memory, making the payload very difficult to detect.
Although this method of attack is the same used by the Turla hacker group, the digital forensics experts at the International Institute of Cyber Security (IICS) consider it to be somewhat hasty to attribute all these attacks to the same group, since they virtually any hacker could use similar tools and methods.