Hackers always find new techniques to exploit vulnerabilities and gain profit from them. One of the techniques hackers employ is called steganography or covered writing.
Steganography is the art of embedding information within other information. Computer files often have unused data in it, and steganography is perfect to replace those empty bits with a hidden payload. The hidden information itself can be plain text, ciphertext, images, or even a DLL (Dynamically Load Library).
Since security software usually blocks executable file formats such as .exe, hackers use steganography to hide the payload inside non-executable file formats. Image formats such as JPEG and PNG were ripe targets. These days, however, audio file formats such as WAV has joined the gang.
How does it work?
Hiding malicious code inside WAV files is not enough. On its own, the code cannot do anything. When you play the audio file, the music player will just ignore it. To work, the user’s system must already be infected with malware. The malware then downloads the WAV file, bypassing the restrictions from the antivirus and firewall. The embedded secret code is then executed by the malware to do various tasks.
In 2019, criminals used such a method to mine cryptos from infected computers. The malware in the already-infected computer download WAV files containing chunks of DLL. Since WAV files are supposedly harmless, the download didn’t trigger any installed antivirus to take action and block it. Once the DLL file is assembled and run, the malware installed XMRig, a CPU miner that can slow the host computer down to a snail’s speed.
XMRig itself is a legit Monero mining program but its open-source nature enables cybercriminals to tweak it to fit their agenda.
Will this threat grow?
In the past, steganography is quite hard because inserting extra bits into a file without damaging its integrity requires careful execution. However, considering the fact that there is now freeware for steganography and practically anyone can download it means cybercriminals’ work just got easier. You can say that the threat isn’t to fade soon.
So, what do I do now?
As always, be very careful whenever you download anything from the internet. As mentioned above, the malware is the one you should be careful of, so you need to make sure your antivirus is always up to date.
On another note, if you’re planning to use any online tool, make sure you’re using tools from reputable sites. For instance, if you need to convert audio files to different formats, always use the one from online-convert.com. You won’t need to worry if the converted files will have malicious code inserted because it’s going to be 100% clean.