Hackers Leverage Malicious Code in WAV Audio Files to Mine Crypto




Last modified


Hackers hide malware in WAV audio files

The threat researching team at BlackBerry Cylance found that hackers are using malicious code in WAV audio files to mine crypto. The software firm, which develops anti-virus programs unveiled this news on October 16.

However, the company noted that this kind of hacking is known as steganography.

Analysts from the firm found that some of the WAV files they examined contained code to launch malware. Reportedly, the malware helped attackers gain financially. On top of this, it helped them get remote access within the infected computer.

However, the firm noted that,

Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file’s audio data. When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise).

Next-level Cryptojacking

BlackBerry Cylance unveiled that the bad actors used three categories of WAV file loaders to steal computing power. These are:

  • Loaders that employ Least Significant Bit (LSB) steganography to decode and execute a PE file.
  • Those that employ a rand()-based decoding algorithm to decode and execute a PE file.
  • Loaders that employ rand()-based decoding algorithm to decode and execute shellcode.

Furthermore, the company noted that each of these approaches allowed the hackers to execute code from normal files. As such, the attackers could easily use any file type provided they do not corrupt the structure of the file format. This method reportedly makes detection difficult as the hidden code is only unveiled in memory.

BlackBerry Cylance’s analysis found that some of the examined WAV files contained underlying code associated with the XMRig Monero CPU miner. Other files had Metasploit code, which bad actors use to create a reverse shell.

However, the company noted that it found both payloads in the same environment. This allegedly suggests a two-pronged campaign to launch malware for financial gain.

This news comes after a report revealed that a group of South Korean hackers dubbed “Lazarus APT Group” had started targeting Apple Macs. The hacker group had created malware that targets Apple computers and hides behind a fake crypto firm. The threat researchers noted that none of the engines on VirusTotal were able to detect the malware. The publication further cited that the malware was similar to a strain of Mac malware that the same group created in the past year.

Do you think government involvement can help rid the crypto sector of hackers? Let us know in the comments below.