Crypto malware developers are known for the ‘creativity’ with which they ply their trade, with crypto mining scripts injected into fake Adobe Flash updates, remote access attacks, and classic email phishing attacks. Now, a new type of malware has been discovered lurking within music files which exposes the victim to the XMRig Monero CPU miner and the Metasploit hack at the same time, allowing the hacker to use the victim’s computer to mine the cryptocurrency and establish remote access to control it.
Malicious Payloads – Hiding Beneath the WAV. BlackBerry Cylance Threat Researchers recently discovered obfuscated malicious code embedded within WAV audio files. Learn more: https://t.co/szEglwcEGx pic.twitter.com/wEpbS2b0Wg
— Cylance Inc. (@cylanceinc) October 16, 2019
Malware Hard to Detect
The malware was discovered by threat researchers from BlackBerry Cylance, who revealed its existence on Wednesday in a blog post, where they described its nature:
BlackBerry Cylance Threat Researchers recently discovered obfuscated malicious code embedded within WAV audio files. Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file’s audio data. When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise).
When opened, the files would surreptitiously extract and embed the XMRig and Metasploit codes, allowing the attacker to utilize the affected computer’s CPU and handle the attack remotely. Fortunately, WAV files are not as commonly used as other formats such as MP3 or MP4, so the impact should be reduced because of this, although the fact that the music played as expected and the file showed no signs of being corrupt is a concern. Another reminder to download your music from official channels.
The Huge Impact of Remote Mining
Although the impact on an individual computer is barely noticeable by the individual, the cumulative effect of multiple computers all mining together can be huge. This was laid bare last month when French police stopped a botnet Monero mining attack that had affected some 850,000 computers worldwide. At its peak, the botnet was able to call on 1-3 million GHz of processing power, bigger than most purpose-built mining operations. BlackBerry Cylance said in their blog post that the methods used by the hackers allowed them to conceal their executable content, which made detection a “challenging task”, something that is only going to increase with time.