LiNkInPaRK-NuMB.wav - .WAV files found to be used to spread Monero miners

[rcmaehl]

Source:

Techradar
Be In Crypto (Quote Source)
ThreatVector (Original Discovery)

 

Summary:
Cyber Security Firm Blackberry Cylance released research detailing malware hiding in .wav files being used to mine crypto.

 

Quotes/Excerpts:

Quote

Cybersecurity firm BlackBerry Cylance released a research report which suggests that hackers have...conceal[ed] malware into a WAV audio file to hide its malicious code and move past conventional detection methods. The cybersecurity company revealed that each of these WAV files contains a loader component, which will go on to decode and execute malicious content in the audio files. Several threat actors were reportedly examined, with some even embedding JPEG and PNG files with their malware and sending them out.  The malicious audio files were found to be embedded with XMRig, a mining malware used to mine privacy-focused crypto-asset Monero (XMR). The WAV files discovered by the firm also employed the same infrastructure — one which indicates the campaign employed to get remote access over the victims’ networks. In June, researchers from cybersecurity firm Trend Micro were able to track Black Squid, a cryptojacking malware which they claimed was affecting computers across Thailand and the United States. The Black Squid malware definitely breathed new life to the criminal activity. After receiving a lot of activity reports, authorities in the two target countries put Black Squid into the limelight — and the reason for its popularity was soon recognized. The malware was able to employ several means to hack into computer systems. Thanks to its use of anti-virtualization, anti-sandboxing, and anti-debugging, the malware could take out any steps that could potentially alert victims of its presence. In addition to that, the cybersecurity firm noted that the malware has worm-like propagation abilities, thus making it easy for it to infect other systems that are discovered on the same server as well. With such a potential to get processing power, its popularity amongst hackers was quite obvious.

 

My Thoughts:
While it should be common sense, you should be careful what you download. Even normally safe file types like .wav files and video files may appear safe, they can easily embed malware. I'd be careful about those SoundCloud rappers and Discord file sharing if it was me.

[NumLock21]

WAV are only used in CDs, unless wave is still used in today's music files that I am not aware off. So Vinyls uses wav format too?

[Guest]

Now can I get an encore, do you want more 
Crypto mine with the internet crime. 

[SupaKomputa]

Reading your post :

 

.EXE and you still think that is a audio?

#facepalm...

[jagdtigger]

14 minutes ago, NumLock21 said:

So Vinyls uses wav format too

AFAIK vinyl is as analog as you can get. There is no way they could store digital data hidden in it.....

 

5 minutes ago, SupaKomputa said:

.EXE and you still think that is a audio?

The file itself is .wav, only the loader is a .exe.....

Edited October 18, 2019 by jagdtigger

[imreloadin]

1 hour ago, SupaKomputa said:

.EXE and you still think that is a audio?

#facepalm...

Well to play the song you have to execute it right...

[NumLock21]

1 hour ago, jagdtigger said:

AFAIK vinyl is as analog as you can get. There is no way they could store digital data hidden in it.....

And so are CDs, they're pretty secure too, unless the master file was already infected in the first place. The music industry don't use CD-burners to produce them, they usually stamp press with a master die, like how coins are made.

What I find odd is why is it only embedded into a .wav file, and not the other more widely uses lossless formats. I assume due to the large size of a .wav files, hidding something malicious, that adds a few MB in size, to the already large file, won't be that noticeable.

1 hour ago, SupaKomputa said:

.EXE and you still think that is a audio?

#facepalm...

Not sure what you are facepalming for. The music file is still a .wav format, while the malware in .exe, is hidden within the .wav file.

[Lurick]

2 hours ago, VegetableStu said:

-snip-

Not sure if I'm reading it right but you do know he's gone right?

[AntiTrust]

I wonder what the file size of these .wav files are, I think it'd get suspicious if I downloaded and 80mb song 

[NumLock21]

32 minutes ago, AntiTrust said:

I wonder what the file size of these .wav files are, I think it'd get suspicious if I downloaded and 80mb song 

They can get pretty big, but it depends on the quality.

[That Franc]

Chester died for their sins, and this is how they treat his legacy?

[trag1c]

9 hours ago, VegetableStu said:

real talk for a moment?

 

i went singing with my friends a few weeks back. saw the machine had some LP and was finding a song that only had Chester on vocals. so for kicks i did Given Up

 

holy heck i kinda feel the pressure of screwing up the song. i can't imagine how he has to handle concerts during long tours (also he's a smoker if i remember right)

 

damn i kinda feel sad for him somehow. still sucks that he's gone with that headcannon

 

sorry back to wav files with exe extensions

You should listen to him in the single Cross Off by Mark Morton. His voice is absolutely incredible. An irrecoverable loss for music.

 

This also would probably be the last recording he ever did.

[vanished]

9 hours ago, NumLock21 said:

WAV are only used in CDs, unless wave is still used in today's music files that I am not aware off. So Vinyls uses wav format too?

No one really uses it.  I'm not sure it's accurate to even call CD's wav format though it's probably the closest you'll get.  Everyone else is using mp3, aac, m4a, ogg, flac, or something like that.  Vinyl doesn't have a format, it's just a physical object - a disk with a soundwave stamped into it.

9 hours ago, SupaKomputa said:

.EXE and you still think that is a audio?

#facepalm...

The title is a bit misleading.  From what I can tell, this isn't your typical song.mp3.exe trick, it appears to the user as a normal wav but when played can extract and run a hidden included exe.

7 hours ago, AntiTrust said:

I wonder what the file size of these .wav files are, I think it'd get suspicious if I downloaded and 80mb song 

Somewhere in the 40s wouldn't be unexpected for an uncompressed format like that, which is not out of the question since FLAC files (losslessly compressed but not by much) are often around the same size.  The code for the malware could easily be well under 1 MB making it unnoticeable against the already large file.

[NumLock21]

1 minute ago, Ryan_Vickers said:

No one really uses it.  I'm not sure it's accurate to even call CD's wav format though it's probably the closest you'll get.  Everyone else is using mp3, aac, m4a, ogg, flac, or something like that.  Vinyl doesn't have a format, it's justa physical object - a disk with a soundwave stamped into it.

Just looked it up and CDs uses something called CD Audio. .WAV is used for computers where it's uncompressed giving the highest quality as possible.

[vanished]

1 minute ago, NumLock21 said:

Just looked it up and CDs uses something called CD Audio. .WAV is used for computers where it's uncompressed giving the highest quality as possible.

Basically, CDs and wav files both contain a simple PCM stream, most often at 44.1 kHz and 16 bit per sample.  In that way, they are the same, but the details of how that's actually stored in binary may differ, along with any "headers" and such.

[trag1c]

Just now, Ryan_Vickers said:

somewhere in the 40s wouldn't be unexpected for an uncompressed format like that, which is not out of the question since FLAC files (losslesly compressed but not by much) are often around the same side.  The code for the malware could easily be well under 1 MB making it unnoticeable against the already large file.

@AntiTrust I have 24bit 96k flac rips that are like 5 minutes long that are over 100MB each.

[RejZoR]

11 hours ago, SupaKomputa said:

Reading your post :

 

.EXE and you still think that is a audio?

#facepalm...

EXE appended to WAV is only mentioned in this thread title. Original article only mentions WAV with PE (Portable Executable) contents.

[paddy-stone]

I think this year was the first time I had come across .wav files in a long while... and that's because they're the only format they had available on freesound.

[WereCatf]

I see no mention in the story of how these loaders get on the system in the first place. I mean, those WAV-files are useless by themselves, you still need the loader-component that extracts the payload from those WAV-files, so..where does the loader come from? I only skimmed the article, but I ain't seeing anyone addressing that.

 

Aside from the baddies using WAV-files for hiding the payloads, I see nothing new or alarming about any of this. It's ages-old stuff, steganography and the likes have been used for doing this exact thing for two decades now.

[WereCatf]

13 hours ago, imreloadin said:

Well to play the song you have to execute it right...

No, you don't execute every single god damn file on your computer when you open them. When you e.g. open a .txt - file in Notepad, that .txt - file does NOT get executed, it does not get loaded into memory-space with the executable-bit set and Notepad does not deliberately jump to the loaded data. That is not how computers work.

 

5 hours ago, Ryan_Vickers said:

it appears to the user as a normal wav but when played can extract and run a hidden included exe

Incorrect. Playing the WAV-file doesn't cause any code to execute, the WAV-file is just used to hide the most-harmful component in so it's harder for antivirus to detect. You still need to run some separate malicious application, ie. the loader, that then extracts the harmful component from the WAV-file and executes it. As I said, these WAV-files do literally nothing harmful by themselves.

[Lurick]

7 hours ago, VegetableStu said:

i mentioned in the last proper sentence, yes ._.

Ah, I was just misreading then.

[Sauron]

15 hours ago, imreloadin said:

Well to play the song you have to execute it right...

You don't, you could just open it with your audio player of choice... regardless, this is a little misleading - the wav file itself is harmless, it's the loader that actually does the damage.

[rcmaehl]

11 hours ago, Ryan_Vickers said:

The title is a bit misleading.  From what I can tell, this isn't your typical song.mp3.exe trick, it appears to the user as a normal wav but when played can extract and run a hidden included exe.

Yeah. People seem confused. Was trying to make reference to people downloading malware from limewire on accident but it caused more confusion than hilarity 

[dfsdfgfkjsefoiqzemnd]

so ... if you convert it to .flac and then back to .wav, will the mining part still work? 

Would love to get my hands on one of these infected files just to run it through FLAC Frontend and see what happens.

[vanished]

7 hours ago, WereCatf said:

Incorrect. Playing the WAV-file doesn't cause any code to execute, the WAV-file is just used to hide the most-harmful component in so it's harder for antivirus to detect. You still need to run some separate malicious application, ie. the loader, that then extracts the harmful component from the WAV-file and executes it. As I said, these WAV-files do literally nothing harmful by themselves.

Yes I understand all that quite well.  I know you don't execute files just to open them like txt or wav etc.  Perhaps I didn't explain myself well, I thought all this would be intuitive from where I left off.

 

Edit: actually I'm not sure we're on exactly the same page after all.  For the second part, as far as I know, you don't need to run a malicious player/loader, this file works by taking advantage of a flaw/vulnerability in existing clean players to deliver the payload*.  Perhaps that is a misunderstanding though and it is in fact how you explained it.  If so this seems like much less of a threat though as I don't know who would execute anything that comes along with music they've downloaded, there's just no need.

 

I noticed you also posted wondering about how people get these loaders in the first place and I agree with that uncertainty, which just leads me back to my initial theory.  It would solve that issue and explain why this is even a threat.  But, it is also strange that they haven't made that clear either if it is what's actually going on.

 

*One such way I'd imagine this working, just for the sake of completeness, is a header file containing intentionally corrupted and unexpected values causes a buffer overrun which changes a pointer, causing some of the wav file's "audio" data (actually hidden code) to be loaded into the program's memory space rather than where it would store ordinary data.  At this point, when the program goes to execute what was there, instead of doing what it thought, it will instead run the payload.  I'm not an expert in this kind of thing by any stretch but I think that's quite possible given the right flaws in the player.  I'd imagine in this case it's something rather more sophisticated if that is the case since attacks like this have been known for a long time, but still, just to give an example.

Edited October 19, 2019 by Ryan_Vickers
so many edits... haven't had my coffee yet lol