Skip to main content

Criminals are hiding malware inside WAV files

(Image credit: Pixabay)

You know what's making a comeback? Hackers hiding malicious code in non-malicious file types. Called steganography, the process is simple in theory – hackers can use regular files, like photos, for instance, and hide malicious code within its binary format.

This process is usually done not to infect a system, but rather to transfer malicious files and bypass any potential security measures.

What makes things different this time around, however, is the fact that the file format used for steganography (or stego, as it’s called in slang) is not .jpeg or .png, but rather - .wav. That’s right, hackers are using audio files this time around.

Two different reports, issued a few months apart from each other, both claim hackers are using this method. One of the two hacker groups is Turla, a Russian-based, state-sponsored actor. They were engaged in a cyber-espionage campaign. The second group, an unnamed one for now, was using it for less sinister goals – to assemble a cryptocurrency miner on an infected machine.

The victim machine would already need to be infected with malware. The malware would then download the .wav file and extract .dlls from it, assembling them into a fully-functioning Monero miner called XMRig.

Monero is one of the more popular fully anonymous cryptocurrencies, with wallet owners and money flows being almost impossible to trace.