Incident Response: How can malware use the WAV format to deploy a malicious payload?

[et_pb_section fb_built= »1″ _builder_version= »4.4.3″][et_pb_row _builder_version= »4.4.3″][et_pb_column type= »4_4″ _builder_version= »4.4.3″][et_pb_text _builder_version= »4.4.3″]

Attacker groups today use increasingly advanced techniques in order to go unnoticed by detection mechanisms used by their targets. Some of these attacks use steganography to try to concealing malicious assets.

For example, we observed the use of WAV files, These devices, originally intended to contain audio data, can be used to execute malware. The Symantec article[1] referring to Waterbug mentions this technique.

During an incident response, we observed the use of this type of file. The attackers were using a binary named "Tasklistw.exe" which took a WAV file as a parameter, containing code to execute Meterpreter. The method used by this binary was very similar to that described in Cylance's article[2].

[/et_pb_text][et_pb_text _builder_version= »4.4.3″ header_text_color= »#071793″ header_2_text_color= »#071793″]

Analysis

[/et_pb_text][et_pb_text _builder_version=»4.4.3″]

We will review together how the malicious binary retrieved the malicious content from the WAV file.

First, the first 44 bytes of a WAV file contain its header [3]. Offset 40 corresponds to the size of the DATA section, in which the malicious payload will be stored. The DATA section itself is located immediately after the header, at offset 44.

Analysis shows that the malware (Tasklistw.exe) first retrieves the size of the section of the WAV file passed as a parameter and then extracts it using the ReadFile function:

[/et_pb_text]

The main difference with the elements identified by Cylance lies in the extraction:

[/et_pb_text][et_pb_image src="https://www.intrinsec.com/wp-content/uploads/2020/04/fig2-turla.png" align="center" _builder_version="4.4.3"][/et_pb_image][et_pb_text _builder_version="4.4.3"]

The srand function will then be called with the seed 0x309. Then, for each byte, the binary will calculate the difference between the original value and the return value of the rand function modulo 256:

[/et_pb_text][et_pb_image src="https://www.intrinsec.com/wp-content/uploads/2020/04/fig3-turla.png" align="center" _builder_version="4.4.3"][/et_pb_image][et_pb_text _builder_version="4.4.3"]

Thanks to these elements it was possible to develop an extractor in python[4].

[/et_pb_text][et_pb_image src="https://www.intrinsec.com/wp-content/uploads/2020/04/fig4-t.png" align="center" _builder_version="4.4.3" width="69%"][/et_pb_image][et_pb_text _builder_version="4.4.3"]

As mentioned previously, the main difference from what Cylance has already observed is the offset between the different bytes composing the binary in the DATA section of the WAV file. It is then possible to take the Yara rule and modify it as follows [5]

[/et_pb_text][et_pb_image src="https://www.intrinsec.com/wp-content/uploads/2020/04/6-turla.png" align="center" _builder_version="4.4.3"][/et_pb_image][et_pb_text _builder_version="4.4.3"]

However, this rule does not allow for adherence to good performance practices because there is too much randomness.

[/et_pb_text][et_pb_text _builder_version= »4.4.3″ header_2_text_color= »#071793″]

References

[/et_pb_text][et_pb_text _builder_version=»4.4.3″]

[1] https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments

[2] https://threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html

[3] https://github.com/corkami/pics/blob/master/binary/wav101/wav101.pdf

[4] https://github.com/Intrinsec/CERT/tree/master/Scripts/turla_wav_extractor

[5] https://github.com/Intrinsec/CERT/blob/master/Signatures/yara/turla_wav.yara

 

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section fb_built= »1″ _builder_version= »4.4.2″ use_background_color_gradient= »on » background_color_gradient_start= »#071793″ background_color_gradient_end= »rgba(7,23,147,0.59) » custom_margin= »|103px||87px|| »][et_pb_row column_structure= »3_4,1_4″ _builder_version= »3.25″][et_pb_column type= »3_4″ _builder_version= »3.25″ custom_padding= »||| » custom_padding__hover= »||| »][et_pb_text _builder_version= »4.4.2″ text_font= »Nunito Sans|||||||| » text_text_color= »#ffffff » text_font_size= »24px » text_line_height= »1.4em » header_font= »|||||||| » width= »101.2% » custom_margin= »-11px|-42px||31px|| » custom_padding= »13px|| »]

Want to learn more about our Computer Emergency Response Team (CERT)? 

[/et_pb_text][/et_pb_column][et_pb_column type= »1_4″ _builder_version= »3.25″ custom_padding= »||| » custom_padding__hover= »||| »][et_pb_button button_url= »https://www.intrinsec.com/cert-intrinsec » url_new_window= »on » button_text= »Discover » button_alignment= »left » _builder_version= »4.4.2″ custom_button= »on » button_text_size= »18px » button_text_color= »#e02b20″ button_bg_color= »#ffffff » button_border_color= »#ffffff » button_font= »Nunito Sans|700||||||| » button_icon= »%%86%% » button_icon_color= »#ffffff » button_icon_placement= »left » custom_margin= »14px|-30px|7px|-6px|| »][/et_pb_button][/et_pb_column][/et_pb_row][/et_pb_section]