A new campaign discovered by security researchers shows that cybercriminals are hiding malware inside WAV audio files.
This technique of obfuscating malicious code in plain sight — a method called steganography — was uncovered by BlackBerry’s cybersecurity subsidiary Cylance.
“When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise),” the researchers noted.
But in reality, the WAV files — delivered via targeted phishing emails — were a vector to distribute malicious payloads that surreptitiously abused the infected host to mine cryptocurrency Monero.
“Adopting this strategy introduces an additional layer of obfuscation because the underlying code is only revealed in memory, making detection more challenging,” Cylance said.
Although steganogrpahy techniques have been employed via WAV files before, notably by threat group Turla (aka Uroboros), this is the first time audio files have been exploited for injecting cryptomining malware.
The threat actors’ adoption of sophisticated obfuscation mechanisms underscores the continued evolution of tactics to evade detection and exposure, heightening the need for improved security infrastructure to watch out for such attacks.
“Analysis revealed that the malware authors used a combination of steganography and other encoding techniques to deobfuscate and execute code,” the researchers concluded. “These strategies allowed attackers to conceal their executable content, making detection a challenging task.”