Researchers find cryptojacker hiding in Wav audio file

The Wav audio file format is exploited in the wild as a vehicle to infect victim networks with cryptominers, according to Guardicore Labs, which has today published a new disclosure detailing a recent incident at an undisclosed medical technology company in December 2019.

A Wav or Wave file is an audio file type that uses containers to store audio data in raw and often uncompressed units – common to other Windows file types as well. This means they are often much larger than other types of audio files, such as MP3s, and are widely used by professional musicians and producers to retain optimal sound quality.

According to Guardicore researchers Ophir Harpaz and Daniel Goldberg, the network in question became infected with a well-obfuscated malware strain hiding a Monero cryptominer inside a Wav file.

The hackers attempted to propagate inside the target through infecting Windows 7 machines by exploiting the EternalBlue vulnerability, made famous in the WannaCry outbreak of 2017.

The target was alerted in October 2019 when several Windows 7 machines fell victim to the blue screen of death (BSOD), an indication of a kernel-mode error, and enlisted Guardicore’s help through their managed services provider.

While the machines were not configured to save kernel memory dumps, which would have been useful to the analysts, closer inspection found that one of the machines had executed a long command line accessing suspicious data in a registry key. Over 800 other machines – half of those on the victim’s network – also had the unusual data present.

This turned out to be the result of a base-64 encoded PowerShell script, which was found to be available online in both encoded and decoded strains, titled An Unknown Malware.

The investigation revealed that the attackers had conducted subnet scans on port 445 to attempt to spread the malicious payload to other hosts and used EternalBlue to spread laterally through the network.

“Following this discovery, we recommended the company to block all SMB [server message block] traffic between endpoint machines,” wrote Horpaz and Goldberg in a disclosure blog.

“The company had labelled endpoint machines in [Guardicore product] Centra in advance, long before they were breached, making the policy creation and enforcement significantly faster.

“Guardicore Labs reverse engineered the malware payload and found a multi-layered executable file. During its runtime, the payload unpacks its modules one after the other, and executes the unpacked code in each iteration.

“The malware contains a cryptomining module based on the open-source XMRig CPU miner. It uses the CryptonightR algorithm to mine Monero – a popular privacy coin. In addition, the malware makes use of steganography and hides its malicious modules inside clean-looking WAV files. The technique was recently reported, but this was the first time it was seen as part of a full attack flow.”

Guardicore remediated this particular attack by first removing the malware, halting the malicious processes and deleting the registry keys that contained the binary payloads, at which point the indicators of compromise ceased to appear.

Horpaz and Goldberg detailed a series of steps to help other possible victims investigate and remediate such attacks. These include enabling log forwarding on Windows and Linux machines to centralised, hardened servers to safeguard them – configuring systems to save complete crash dumps for future analysis – and to isolate infected machines rather than immediately cleaning them, which can destroy potential evidence.