Researchers at BlackBerry Cylance have been tracking ordinary WAV audio files being used to carry hidden malicious data used by threat actors.
Eric Milam is VP of threat research and intelligence at BlackBerry Cylance, and he joins us to share their findings.
The research can be found here:
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:25] And now a quick word about our sponsor, Juniper Networks. NSS Labs gave Juniper its highest rating of "Recommended" in its 2019 Data Center Security Gateway Test. To get your copy of the NSS Labs report, visit juniper.net/SecureDC, or connect with Juniper on Twitter or Facebook. That's juniper.net/SecureDC. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:00:57] And thanks also to our sponsor Enveil, whose revolutionary ZeroReveal solution, closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Eric Milam: [00:01:38] Well, I mean, the most interesting thing about this is obviously, like, steganography is not new, right? It's been used since the days of the Romans. It's been around for a long time. But typically you see it used with image files.
Dave Bittner: [00:01:49] That's Eric Milam. He's VP of Threat Research and Intelligence at BlackBerry Cylance. The research we're discussing today is titled, "Malicious Payloads - Hiding Beneath the WAV."
Eric Milam: [00:02:00] And in this specific case, it was very interesting to see it used with a different file format – in this specific case, a WAV audio file. So that really drew our attention right away and was something fairly interesting. There's not a lot of research out there. There are some discussions around it. I think some people have covered it, but not to the depth in which we wanted to go to within this research.
Dave Bittner: [00:02:22] Let's start off with some basics here. I mean, I think most of us are probably at least somewhat familiar with what a WAV file is. That's an audio file. It goes back a long way. It's a file format that's been around a long time.
Eric Milam: [00:02:33] Yeah, yeah. It it definitely predates the MP3s and MP4s that we have these days. It's been around since the beginning of time. Yeah, it's very interesting. I think the reason it was chosen, or what we've come to believe is the reason it was chosen, is back then when this was created there wasn't a lot of file integrity checking going on. And so, when you do something like stego, you have to really understand the format so you don't break it, right? Some file formats are definitely a lot more forgiving. That's why stego in images – it normally uses PNG. A lack of integrity checking, just the ease of leveraging that format. Same thing here with WAV. If they tried to do this, say within an MP3, there's file integrity checking, there's compression, there's all other kinds of things that have to go into it that could potentially break. So I think they kind of took the path of least resistance in picking the WAV file itself. And I think the file format really helped make it a little bit easier on them.
Dave Bittner: [00:03:30] Yeah, that's really an interesting insight. Well, let's go through here together. How exactly did this work? It wasn't just the WAV file standing on its own.
Eric Milam: [00:03:40] Yeah, that's correct. Like, every WAV file was coupled with a matching loader file. So, the way it works is the loader file is paired with this item, with this file. And when it runs, essentially, the loader then will look for that WAV file, grab and extract the items out of it, parse that in some memory into the same address space, and then execute the malicious payload that's within it.
Dave Bittner: [00:04:05] And what's going on within the WAV file itself? Are they spreading the useful data throughout the file?
Eric Milam: [00:04:14] Yeah. There's a certain level of encoding that happens, obfuscation within that. I have to admit, I don't know the technical details around that part.
Dave Bittner: [00:04:21] Mm-hmm.
Eric Milam: [00:04:21] So, essentially, yeah, what they're doing is they're leveraging an empty space or areas within that file format in order to put these malicious bits in there that can then be extracted. And the interesting thing was, as I pointed to earlier, they didn't actually break the file format – the WAV files actually played. One played music and one played white noise. So that means they had a really good understanding of where they could put things, the file structure itself, and how they could leverage and get the items back out of it.
Dave Bittner: [00:04:49] Yeah, and again, very similar to what we've heard about folks doing with image files, where if you didn't know any better, you wouldn't know that there was anything wrong with the file at all.
Eric Milam: [00:04:59] Yeah, that's correct. In fact, we did some research around APT32 and OceanLotus not that long ago where they used PNG files, and they used encoding within the RGB to hide a payload and be able to extract payload. So, similar technique, just a different file format.
Dave Bittner: [00:05:13] Well, there were three basic categories that you all cover here in the research. Why don't we go through those together, one by one?
Eric Milam: [00:05:21] Sure.
Dave Bittner: [00:05:21] So, the first one employed some steganography to decode and execute a file. What was going on with that one? A PE loader?
Eric Milam: [00:05:30] Yeah. So the PE loader, the way it works – that goes back to what we were talking about with the coupled file. So there's essentially two different files that were placed on these systems. So the first one is a PE file, which we'll call the loader, which knows how to access the WAV file – this specific WAV file – and extract what needs to be extracted from that in order to either install the backdoor, or, in another instance, we were able to find some cryptomining software as well. So we had both shellcode and cryptomining. So that loader would be matched with the WAV file. So those two both exist then on the endpoint. And when that loader is run, it's able to grab that WAV file again and extract that shellcode in the memory and then provide access back to the command-and-control server for, you know, additional nefarious activities.
Dave Bittner: [00:06:16] It would seem to me like the loader itself could be the thing that kind of gives away the game. A WAV file gets through unnoticed, but hey, what's this loader or what's this mysterious file here doing on my system that turns out to be the loader?
Eric Milam: [00:06:31] Sure, and potentially those are the ways where a lot of these get caught, right? So, the difference being that the loader is a portable executable – in this case, a WAV file is, as we talked about the research, a benign file that you would never expect to have any malicious intent behind it. So, when you look at things like the loader, there's different things associated with it – different characteristics. Obviously, if it's something that's never been seen before, unless you're using something like machine learning, you might not ever detect it.
Dave Bittner: [00:06:56] Hmm.
Eric Milam: [00:06:56] So, the way in which we look at files that could potentially be benign – if you think about a loader, a lot of times those are largely written to bypass any level of security. They're very kind of simplistic, in which they just go out and download or pull down additional information. In this case, the loader was simply meant to read another file. So there might not really be at first glance or first blush to any specific malicious intent or anything that might be found around that.
Eric Milam: [00:07:28] So what we tend to do in those types of situations within BlackBerry Cylance is we leverage a technical technique using machine learning that references centroids. It's a technical term around basically just really building a specific model for catching items. So we're able to do something like build a specific model around this loader, that even if potentially it's not deemed malicious, we're able to actually still find it, catch it, analyze it. And what that also allows us to do is – as these attackers evolve these techniques, change these loaders – if the variance isn't too great, we can continue to catch those as they even adjust and evolve.
Dave Bittner: [00:08:05] Now, do the two files typically show up on your system at the same time? Is there any attempt to put a time gap between the installation of the two, or does that not really matter in this case?
Eric Milam: [00:08:18] No, it doesn't necessarily matter in this case. The only thing that matters is – again, they're a matched pair, the loader and the running files, so they both have to be on the system for this to happen. You can't have one loader with a different WAV file. They're really dependent on each other. So, yeah, they tend to be downloaded simultaneously. We didn't experience anything, at least in what we're able to analyze, where, say, it was something that was UPX packed or packed in some way that then ended up on the system and was, you know, extracted for the two. The way we analyzed it pointed to the fact that there was probably some type of backdoor connection to the command-and-control server, and then those files were then downloaded simultaneously.
Dave Bittner: [00:08:57] I see. Now, the second category of loader was using an algorithm to hide some shellcode. What was going on with that one?
Eric Milam: [00:09:04] Mm-hmm. The attackers were using the Metasploit framework shellcode. And so, obviously, when you're using shellcode, the goal is to maintain a connection to keep your backdoor going, your command-and-control responses and execution. And so, this is how these attackers were able to stay on these systems for a really long time. I think the main thing, too, that I want to point out is, like, when you use something like a backdoor, you're obviously targeting. And when you couple that with something like hiding this within a WAV file – like, the main focus is trying to stay as hidden for as long as possible. So, we definitely believe that this is an adversary that is really looking to stay inside an environment, exfil as much data as they can, and continue to move throughout the environment.
Dave Bittner: [00:09:51] And then the third one was using an algorithm to hide some PE files.
Eric Milam: [00:09:54] Yeah. There was like a cryptominer that was being used – a Monero cryptominer – which, we had some conversations around this. It's easy to say that, OK, since it's a cryptominer, they're probably using this to just go do some mining, make some money, maybe they've exfil'd everything they need from a system, or maybe they've identified a system and they just want to make some easy cash. But the other side of that, too, is possibly that these attackers want to fire off red herrings in other areas of the organization, so that the focus ends up happening on that. So let's say they use something that's a cryptominer that might be more easily recognized or more easily caught or identified quickly. And let's say they're using that in a completely different part of the organization in which they're actually attacking and exfil-ing data. It's an attempt to move the attention of the SOC and other individuals to that and to addressing that. So, we're kind of torn between those two, but definitely interesting for sure.
Dave Bittner: [00:10:50] Yeah. Any patterns that you're seeing in terms of who this seems to be focused at, both in terms of groups and geographically?
Eric Milam: [00:10:56] We looked at that. They're definitely not targeting an individual. If they're going to spend the amount of time they did here to hide and obfuscate – again, using a WAV file, something that no one would ever think is malicious – they really put a lot thought into this. They want to stay hidden as long as they could, which really means that they're targeting enterprises and organizations. We haven't seen a trend, at this point, as to specifically, you know, a vertical like health care or auto industry. But we're definitely keeping an eye on them to see, you know, where they end up going from here.
Dave Bittner: [00:11:28] And in terms of detection and protecting yourself against this, what are your recommendations there?
Eric Milam: [00:11:33] Since this payload is – you know, it's loaded into memory, so it's really only detectable in that space. You know, it's easy to understand or to analyze a system that's being cryptomined by some of things that are happening on it – most easily using the CPU or GPU is maxed out for a consistent amount of time. But that's dealing with the symptoms of it. So, in order to really handle this specific attack, you'd have to have something that is looking in the memory space, understands what's going on in that memory space, is able to make a decision or determination or take preventative steps from analyzing what's going on in that memory space.
Dave Bittner: [00:12:11] It's really a fascinating dilemma in my mind in that, you know, you have these legacy files that have been around for decades – these legacy file formats. And I think we sort of categorize them in our minds as being completely benign, partly because they're sort of tried and true. Those of us in certain industries like podcasting, you know, we're slinging around WAV files all day long and not thinking twice about it. I wonder if it's time for a little bit of recalibration when it comes to how we think about these legacy files.
Eric Milam: [00:12:44] I mean, absolutely. Obviously, as time goes on, things get better, right? Things change. Again, like MP3 has been around also for a very long amount of time. You know, there's also AUG files. There's a whole bunch of different file formats that can be leveraged. And I definitely think that when we look at something that – you know, I hate to say it's so old, because I'm probably just as old as it...
Dave Bittner: [00:13:05] (Laughs)
Eric Milam: [00:13:05] ...But something that has been around, right? We don't think about security when it comes to these things because they're just, as you mentioned, a normal part of everyday, and haven't really been tied in the past to anything that would be malicious, right?
Dave Bittner: [00:13:18] Right.
Eric Milam: [00:13:20] So, I don't want to call it a wakeup call, but it's definitely something where you look at that and go, wow, yeah, maybe I should put up a little bit more – be a little bit more concerned around some of these, and just maybe use a little bit more operational security, per se, when handling these.
Dave Bittner: [00:13:36] Yeah, I mean, as you said at the outset, just that these file formats internally don't have the type of integrity checking that we've come to expect from modern file formats. And perhaps the very fact that they operate in that way means that they deserve a closer look or even, you know, maybe it's time to – I don't know, recommend that these formats maybe get retired for something a little more modern.
Eric Milam: [00:14:02] Yeah, I mean, I would agree one-hundred percent. I mean, it's not like we don't have anything better out there, right?
Dave Bittner: [00:14:06] Right.
Eric Milam: [00:14:06] I mean, getting rid of WAV files, I obviously...
Dave Bittner: [00:14:08] It's hard to imagine. Right? Yeah. (Laughs)
Eric Milam: [00:14:11] Yeah. I don't know, like, yeah, I don't know how widely they're still used and leveraged. You know, in my small world, it's all about compressed files, because I remember back in the days of copying DVDs and – or ripping the DVDs, and it was a WAV file, and it was like, ridiculously huge, right? For back then, obviously. And then when MP3s came out, you're like, wait, it's a tenth of the size? OK.
Dave Bittner: [00:14:36] Right, right.
Eric Milam: [00:14:38] I mean, that was back at least in the 90s. So, we're looking at twenty years. So, maybe it is time to just be like, hey, we're not going to leverage that anymore.
Dave Bittner: [00:14:46] The funny part of it is that, in the interim, file storage capacity has become so crazy...
Eric Milam: [00:14:54] Yeah.
Dave Bittner: [00:14:54] ...That it's sort of meaningless that a large WAV file – it's not really a barrier anymore.
Eric Milam: [00:15:01] Yeah, agreed.
Dave Bittner: [00:15:01] For professional audio production, I mean, WAV is, to this day, is one of the industry standards because it's uncompressed, you know, and so ubiquitous. So, what an interesting thing to have to think about.
Eric Milam: [00:15:16] Yeah. I mean, this research really does beg the question of the things we thought were safe. Now we have to, you know, we do have to put kind of an eye to it. And the things maybe – you know, we always say, if you don't build something with security in it from the get go, it's hard to strap security onto it afterwards, right? And obviously, this would fall into that row, right? Now, I don't think anybody ever considered that. And again, it's still fairly new to see this, but that begs the question as to how long was maybe this going on before we actually identified it, right? Across, you know, across the globe, across the population.
Dave Bittner: [00:15:53] That's Eric Milam from BlackBerry Cylance. The research is titled, "Malicious Payloads - Hiding Beneath the WAV." We'll have a link in the show notes.
Dave Bittner: [00:16:02] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:16:11] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:16:20] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. Our team co-innovates with our customers and partners to deliver automated, scalable and secure networks with agility, performance and value. Additional information can be found at Juniper Networks.
Enveil is revolutionizing data security by addressing a Data in Use vulnerability that people have been chasing for more than 20 years. Founded by U.S. Intelligence Community alumni, Enveil’s ZeroReveal™ solutions ensure data remains encrypted throughout the processing lifecycle. Learn more at www.enveil.com.