Posted on October 21, 2019 at 10:18 AM
The struggle between malicious programmers and security experts could only be described as a war. This war, like any other of its sort, also entails a neverending arms race between the two parties.
Such as it is, Security researchers have now discovered a new form of malware. This malware campaign makes use of seemingly innocent audio files to deliver cryptocurrency miners and malicious code. The malware makes use of a technique called steganography to hide. The video file itself plays normally, giving no indication of its sinister payload.
As is usual, these malicious packages are sent out through phishing campaigns: Sending emails to victims in the hopes that they’ll either mistake it for a credible source or open the file out of habit. Once opened, these packages will install and run a mining tool for Monero, a cryptocurrency. In other cases, Metasploit code runs to enable remote access for the attacker.
This was discovered by a trio of researchers: Anuj Soni, Jordan Barth and Brian Marks. All three of these people come from Blackberry Cylance. They explained that each WAV file had an added loader component for decoding and executing malicious code.
This code was, in turn, secretly woven through the entirety of the file’s audio data. They explained that, when played, some of the WAV files produced perfectly normal music, without any quality issue or glitch. Strangely, they explained that other videos were just static noise or white noise.
The trio stated that their analysis revealed that some of the WAV files contained malicious code. Some pieces of code were associated with the XMRig Monero CPU miner, while others had things like Metasploit code, used to create a reverse shell. They warned that both payloads were in the same environment, suggesting a campaign with a two-pronged goal: Financial gain and establishment of remote access within a victim’s network
These WAV file loaders can be classified into one of three categories. The first is ones that have loaders that use the Least Significant Bit (LSB) steganography to decode and execute a PE file. The second makes use of loaders that employ a rand()-based decoding algorithm that decodes and executes a PE file. The last uses the same as the above one but instead executes shellcode.
Each of these three approaches gives the attacker the ability to execute malicious code from a file format otherwise considered benign. It proves that executable content can, theoretically, be placed within any file type.
This, of course, assumes the attacker doesn’t corrupt the structure and processing of the container’s format. This new technique introduces yet another layer of possible obfuscation, due to the underlying code only being traceable in memory. This, as you can imagine, makes detecting this malicious code a difficult process
Something worth noting: The steganography loader discovered in the malware was identified as the same as Symantec analysis of the Waterbug/Turla threat actor’s activity that happened back in June this year.
While this proves that these two threats have, at the very least, a relationship, proving anything gets tricky when you realize that different groups of threat actors can all use the same tools out of convenience. After all, why take the effort to create a tool to hack someone, when there already is a tool that works? Most people are lazy, and hackers, in the end, are also human as well.
A detailed report for this subject can be found on the Threat Vector website, going into detail about it
It won’t be long before this specific exploit is fixed, and all relevant cybersecurity providers will anticipate this new threat. Sad as it may seem, all efforts are done to ensure that our security is upheld, only works until the criminals discover some new exploit, and the security firms will adapt to that one as well. This will continue in a vicious cycle, never stopping and never tiring.