Sunday, May 19, 2024

Hackers Embedded the Malicious Code Within WAV Audio Files to Gain Reverse Shell Access

Researchers observed a new malware campaign using WAV audio files to hide the malware and to avoid detection. Threat actors embedded the malicious code within the WAV audio files.

Based on BlackBerry Cylance threat researchers’ analysis, each WAV file contains a loader component to decode and executing malicious content embedded in audio files.

Similar techniques were observed between multiple threat actors, they used PNG (1,2) and JPEG files, employs steganography techniques to hide the malware.

Miner and Metasploit code – WAV Audio

Further analysis reveals that some of the WAV files contain crypto miner script XMRig Monero CPU miner and others include Metasploit code used to establish a reverse shell.

Both of the WAV files use the same infrastructure, which indicates the campaign used to gain remote access over the victim networks and for monetary benefits.

Attackers use steganography methods to hide the malicious codes in the WAV files. Earlier this year, Symantec published a report about the Turla APT hacker group, the APT group uses the .wav files with Metasploit code embedded.

Researchers classified the loaders into three categories

  • Loaders that employ the Least Significant Bit (LSB) steganography to decode and execute a PE file.
  • Loaders that employ a rand()-based decoding algorithm to decode and execute a PE file.
  • Loaders that employ rand()-based decoding algorithm to decode and execute shellcode.

Steganography & Encoding Methods

The first type is based on the steganography method, the .wav file employees steganography method to extract the content.

Upon executing the audio file Song(.)wav, it executes a DLL in memory and triggers the export process, the exported file is an XMRig Monero CPU miner, which is designed to steal victim’s resources and to mine cryptocurrency, reads the blog post.

The second category is based on the rand()-based decoding algorithm used to hide the PE files, in this case, the audio files don’t have any music.

When the audio file is executed, the loader reads the file and executes the DLL in memory, the extracted file is the XMRig Monero CPU miner.

The third category is the rand()-based decoding algorithm to hide PE files, like the previous one, this audio file also contains white noise.

Upon executing the audio file the loader opens the PE files, decodes its contents and executes the shellcode. The Metasploit shellcode is capable of launching reverse shell access to the specified IP address.

Attackers continue to use innovative methods to compromise victim machines, in this campaign attackers used both steganography and other encoding techniques.

IoCs

 SHA-256 

595A54F0BBF297041CE259461AE8A12F37FB29E5180705EAFB3668B4A491CECC
843CD23B0D32CB3A36B545B07787AC9DA516D20DB6504F9CDFFA806D725D57F0
DA581A5507923F5B990FE5935A00931D8CD80215BF588ABEC425114025377BB1
DB043392816146BBE6E9F3FE669459FEA52A82A77A033C86FD5BC2F4569839C9
7DC620E734465E2F5AAF49B5760DF634F8EC8EEAB29B5154CC6AF2FC2C4E1F7C

IP
94.249.192.103

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Website

Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles