Steganography, an ancient practice of hiding secret content and text messages inside non-suspicious messages, is being increasingly used by cybercriminals to attack businesses around the world.
Security researchers found a new malware campaign using WAV audio files to hide their malware. It’s said the attackers are using Steganography to embed the malicious code within the WAV audio files. According to BlackBerry threat researchers’ analysis, each WAV file contains a loader component to decode and execute malicious content embedded in audio files.
Attackers use Steganography as a technique to hide malicious code within the image/audio/text file that is mainly employed by exploiting kits to hide their malvertising traffic.
The researchers also revealed that some of the WAV files contain crypto miner script “XMRig Monero CPU” miner and “Metasploit” code to establish a reverse shell, which is used to gain remote access over the victim networks.
“Attackers deploy CPU miners to steal processing resources and generate revenue from mining cryptocurrency. Cryptocurrency miners are a popular malware payload since they provide financial benefits and aim to operate in the background without the user’s knowledge. An effective cryptocurrency botnet can yield thousands of dollars per month for an attacker,” Blackberry said in a statement.
“This approach allows the attacker to execute code from an otherwise benign file format. These techniques demonstrate that executable content could theoretically be hidden within any file type, provided the attacker does not corrupt the structure and processing of the container format. Adopting this strategy introduces an additional layer of obfuscation because the underlying code is only revealed in memory, making detection more challenging,” the statement added.
Cybercriminals are continuously using innovative methods to execute their malicious activities. Recently, Trend Micro stated that cybercriminals are using steganography to infect the targeted systems. It’s believed that the Powload campaign activity was distributing malicious codes since 2018 through fileless methods, steganography techniques, and hijacking email accounts to deliver the information-stealing malware such as Emotet, Bebloh, and Ursnif.
In a similar research, Matthew Rowen, a security researcher from Bromium, discovered ransomware embedded into a downloadable Super Mario image using steganography method. The attackers send emails with an attached spreadsheet that has an embedded malware and a macro. The attachment prompts the user to click on and enable a content link to deploy the malware.