Researchers find cryptojacker hidden in Wav audio file
Wav audio file format is exploited in the wild as a vehicle to infect victims’ networks with cryptominers, according to Guardicore Labs, which today has released a new disclosure detailing a recent incident at an undisclosed medical technology company in December 2019.
A Wav or Wave file is a type of audio file that uses containers to store audio data in raw and often uncompressed units, also common to other Windows file types. This means that they are often much larger than other types of audio files, such as MP3 files, and are widely used by professional musicians and producers to maintain optimum sound quality.
According to Guardicore researchers Ophir Harpaz and Daniel Goldberg, the network in question was infected with a well-obscured strain of malware hiding a Monero cryptominer in a Wav file.
Hackers attempted to spread inside the target by infecting Windows 7 machines by exploiting the EternalBlue vulnerability, made famous during the WannaCry outbreak of 2017.
The target was alerted in October 2019 when several Windows 7 machines fell victim to the blue screen of death (BSOD), an indication of a kernel mode error, and sought help from Guardicore through its managed service provider.
Although the machines were not configured to record kernel memory dumps, which would have been helpful to analysts, a closer inspection revealed that one of the machines had executed a long command line accessing suspicious data in a registry key. More than 800 other machines – half of those in the victim’s network – also exhibited the unusual data.
This turned out to be the result of a base-64 code PowerShell script, which turned out to be available online in Encoded and Decoded Strains, titled An Unknown Malware.
The investigation revealed that the attackers performed subnet scans on port 445 in an attempt to spread the malicious payload to other hosts and used EternalBlue to spread sideways across the network.
“Following this discovery, we recommended that the company block all SMEs [server message block] traffic between endpoint machines, ”Horpaz and Goldberg wrote in a disclosure blog.
“The company had labeled the end machines in [Guardicore product] Centra in advance, long before they are violated, significantly speeding up the creation and enforcement of the policy.
“Guardicore Labs reverse engineered the malware payload and found a multi-layered executable file. During its execution, the payload decompresses its modules one after the other and executes the decompressed code on each iteration.
“The malware contains a cryptomining module based on the open source XMRig processor miner. It uses the CryptonightR algorithm to mine Monero – a popular privacy room. Additionally, the malware uses steganography and hides its malicious modules in clean-looking WAV files. The technique was recently reported, but this was the first time he had been seen as part of a full attack stream. “
Guardicore addressed this particular attack by first removing the malware, shutting down the malicious processes, and deleting the registry keys that contained the binary payloads, at which point the indicators of compromise ceased to appear.
Horpaz and Goldberg detailed a series of measures to help other potential victims investigate and remedy such attacks. These include enabling the forwarding of logs on Windows and Linux machines to centralized and hardened servers to protect them – configure systems to record full crash dumps for future analysis – and isolate infected machines rather than clean them up immediately, which can destroy potential evidence.