Researchers Find Malware Loaders Inside Wav Audio FilesByBill Toulas-October 17, 2019.908 Actors send or upload malware files to pirate platforms via email spamming. The same method of embedding and obfuscation can also be used in other types of files. Researchers at BlackBerry Cylance have found the decoding and execution of components of malware loaders embedded inside Wav audio file files. The malicious code hides very nicely inside the file’s structure, as its embedding and obfuscation leaves little space for detection. Once a person attempts to replay the file they can get a distorted white noise, or they can listen to the intended audio without any glitches. It depends on whether or not the actors had even bothered adding the music / audio. Other than that there is no hint with these nasty audio files that something’s off. The researchers have noted two payloads which are distributed in this way during their investigation. One of these is a Metasploit code that lets them set up a reverse shell while the other is a “classic” Xmrig / Monero crypto-jacker. As Wav files may concern a wide variety of things malicious actors deliver them in different ways. Spamming by email is a standard procedure. Others tend to upload them to music piracy sites that don’t monitor user uploads or have no way of figuring out what code is hidden in the audio files. .909 The way actors add malware code does not break the Wav container structure, so that the same approach could also be used for other file types. The reason they might have chosen Wav might be because this type usually leads to larger files and so the introduction of “extra code” is more often overlooked than not. Note Wav is a format used for raw uncompressed audio that is favoured by those who go for optimum quality of sound over convenience. This results in especially large audio files up to 10 times that of the equivalent Mp3 file. This case shows that threat actors can put sophisticated ideas into practice, and increasingly rely on highly obfuscated code. Using a mixture of steganography and encoding techniques, the Wav malware is obfuscated and it maintains a separate execution context that does not impact the host file while remaining completely hidden. Since we’ve begun to see such complex developments we’re doomed in the near future to have to deal with even more sophisticated risks. Malicious actors will continue to refine their tools and techniques for obfuscation and the combination of many of them is a great way to achieve that. Connect on Facebook.