{"id":220764,"date":"2020-04-22T09:35:45","date_gmt":"2020-04-22T07:35:45","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=220764"},"modified":"2020-04-22T09:35:45","modified_gmt":"2020-04-22T07:35:45","slug":"malware-wav","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/malware-wav\/","title":{"rendered":"Incident Response: How can malware use the WAV format to deploy a malicious payload?"},"content":{"rendered":"[et_pb_section fb_built= \u00bb1\u2033 _builder_version= \u00bb4.4.3\u2033][et_pb_row _builder_version= \u00bb4.4.3\u2033][et_pb_column type= \u00bb4_4\u2033 _builder_version= \u00bb4.4.3\u2033][et_pb_text _builder_version= \u00bb4.4.3\u2033]

Attacker groups today use increasingly advanced techniques in order to go unnoticed by detection mechanisms<\/strong> used by their targets. Some of these attacks use steganography<\/strong>\u00a0<\/strong>to try to concealing malicious assets.<\/strong><\/p>\n

For example, we observed the use of WAV files<\/strong>, These devices, originally intended to contain audio data, can be used to execute malware. The Symantec article[1] referring to Waterbug mentions this technique.<\/p>\n

During an incident response, we observed the use of this type of file. The attackers were using a binary named "Tasklistw.exe" which took a WAV file as a parameter, containing code to execute Meterpreter. The method used by this binary was very similar to that described in Cylance's article[2].<\/p>[\/et_pb_text][et_pb_text _builder_version= \u00bb4.4.3\u2033 header_text_color= \u00bb#071793\u2033 header_2_text_color= \u00bb#071793\u2033]

<\/h2>\n

<\/h2>\n

Analysis<\/h2>[\/et_pb_text][et_pb_text _builder_version=\u00bb4.4.3\u2033]

We will review together how the malicious binary retrieved the malicious content from the WAV file.<\/strong><\/p>\n

First, the first 44 bytes of a WAV file contain its header [3]. Offset 40 corresponds to the size of the DATA section, in which the malicious payload will be stored. The DATA section itself is located immediately after the header, at offset 44.<\/p>\n

Analysis shows that the malware (Tasklistw.exe) first retrieves the size of the section of the WAV file passed as a parameter and then extracts it using the ReadFile function:<\/p>[\/et_pb_text]

The main difference with the elements identified by Cylance lies in the extraction:<\/p>[\/et_pb_text][et_pb_image src="https:\/\/www.intrinsec.com\/wp-content\/uploads\/2020\/04\/fig2-turla.png" align="center" _builder_version="4.4.3"][\/et_pb_image][et_pb_text _builder_version="4.4.3"]

The srand function will then be called with the seed 0x309. Then, for each byte, the binary will calculate the difference between the original value and the return value of the rand function modulo 256:<\/p>[\/et_pb_text][et_pb_image src="https:\/\/www.intrinsec.com\/wp-content\/uploads\/2020\/04\/fig3-turla.png" align="center" _builder_version="4.4.3"][\/et_pb_image][et_pb_text _builder_version="4.4.3"]

Thanks to these elements it was possible to develop an extractor in python[4].<\/p>[\/et_pb_text][et_pb_image src="https:\/\/www.intrinsec.com\/wp-content\/uploads\/2020\/04\/fig4-t.png" align="center" _builder_version="4.4.3" width="69%"][\/et_pb_image][et_pb_text _builder_version="4.4.3"]

As mentioned previously, the main difference from what Cylance has already observed is the offset between the different bytes composing the binary in the DATA section of the WAV file. It is then possible to take the Yara rule and modify it as follows [5]<\/p>[\/et_pb_text][et_pb_image src="https:\/\/www.intrinsec.com\/wp-content\/uploads\/2020\/04\/6-turla.png" align="center" _builder_version="4.4.3"][\/et_pb_image][et_pb_text _builder_version="4.4.3"]

However, this rule does not allow for adherence to good performance practices because there is too much randomness.<\/p>[\/et_pb_text][et_pb_text _builder_version= \u00bb4.4.3\u2033 header_2_text_color= \u00bb#071793\u2033]

<\/h2>\n

<\/h2>\n

References<\/h2>[\/et_pb_text][et_pb_text _builder_version=\u00bb4.4.3\u2033]

[1] https:\/\/www.symantec.com\/blogs\/threat-intelligence\/waterbug-espionage-governments<\/a><\/p>\n

[2] https:\/\/threatvector.cylance.com\/en_us\/home\/malicious-payloads-hiding-beneath-the-wav.html<\/a><\/p>\n

[3] <\/span>https:\/\/github.com\/corkami\/pics\/blob\/master\/binary\/wav101\/wav101.pdf<\/a><\/p>\n

[4] https:\/\/github.com\/Intrinsec\/CERT\/tree\/master\/Scripts\/turla_wav_extractor<\/a><\/p>\n

[5]\u00a0https:\/\/github.com\/Intrinsec\/CERT\/blob\/master\/Signatures\/yara\/turla_wav.yara<\/a><\/span><\/p>\n

<\/span><\/p>\n

 <\/p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built= \u00bb1\u2033 _builder_version= \u00bb4.4.2\u2033 use_background_color_gradient= \u00bbon \u00bb background_color_gradient_start= \u00bb#071793\u2033 background_color_gradient_end= \u00bbrgba(7,23,147,0.59) \u00bb custom_margin= \u00bb|103px||87px|| \u00bb][et_pb_row column_structure= \u00bb3_4,1_4\u2033 _builder_version= \u00bb3.25\u2033][et_pb_column type= \u00bb3_4\u2033 _builder_version= \u00bb3.25\u2033 custom_padding= \u00bb||| \u00bb custom_padding__hover= \u00bb||| \u00bb][et_pb_text _builder_version= \u00bb4.4.2\u2033 text_font= \u00bbNunito Sans|||||||| \u00bb text_text_color= \u00bb#ffffff \u00bb text_font_size= \u00bb24px \u00bb text_line_height= \u00bb1.4em \u00bb header_font= \u00bb|||||||| \u00bb width= \u00bb101.2% \u00bb custom_margin= \u00bb-11px|-42px||31px|| \u00bb custom_padding= \u00bb13px|| \u00bb]

Want to learn more about our Computer Emergency Response Team (CERT)?\u00a0<\/strong><\/p>[\/et_pb_text][\/et_pb_column][et_pb_column type=\u00a0\u00bb1_4″ _builder_version=\u00a0\u00bb3.25″ custom_padding=\u00a0\u00bb|||\u00a0\u00bb custom_padding__hover=\u00a0\u00bb|||\u00a0\u00bb][et_pb_button button_url=\u00a0\u00bbhttps:\/\/www.intrinsec.com\/cert-intrinsec\u00a0\u00bb url_new_window=\u00a0\u00bbon\u00a0\u00bb button_text=\u00a0\u00bbDiscover\u00a0\u00bb button_alignment=\u00a0\u00bbleft\u00a0\u00bb _builder_version=\u00a0\u00bb4.4.2″ custom_button=\u00a0\u00bbon\u00a0\u00bb button_text_size=\u00a0\u00bb18px\u00a0\u00bb button_text_color=\u00a0\u00bb#e02b20″ button_bg_color=\u00a0\u00bb#ffffff\u00a0\u00bb button_border_color=\u00a0\u00bb#ffffff\u00a0\u00bb button_font=\u00a0\u00bbNunito Sans|700|||||||\u00a0\u00bb button_icon=\u00a0\u00bb%%86%%\u00a0\u00bb button_icon_color=\u00a0\u00bb#ffffff\u00a0\u00bb button_icon_placement=\u00a0\u00bbleft\u00a0\u00bb custom_margin=\u00a0\u00bb14px|-30px|7px|-6px||\u00a0\u00bb][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]","protected":false},"excerpt":{"rendered":"","protected":false},"author":33,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-220764","post","type-post","status-publish","format-standard","hentry","category-cert"],"yoast_head":"\nWAV : dissimulation de charge malveillante - INTRINSEC<\/title>\n<meta name=\"description\" content=\"Lors d'une r\u00e9ponse \u00e0 incident, nous avons observ\u00e9 des fichiers WAV, initialement destin\u00e9s \u00e0 contenir des donn\u00e9es audio, \u00eatre utilis\u00e9s afin d\u2019ex\u00e9cuter des malwares.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/malware-wav\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"R\u00e9ponse \u00e0 incident : Comment un malware peut-il utiliser le format WAV pour d\u00e9ployer une charge malveillante ?\" \/>\n<meta property=\"og:description\" content=\"Lors d'une r\u00e9ponse \u00e0 incident, nous avons observ\u00e9 des fichiers WAV, initialement destin\u00e9s \u00e0 contenir des donn\u00e9es audio, \u00eatre utilis\u00e9s afin d\u2019ex\u00e9cuter des malwares.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/malware-wav\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2020-04-22T07:35:45+00:00\" \/>\n<meta name=\"author\" content=\"Tiago Jesus Da Conceiao\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tiago Jesus Da Conceiao\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/malware-wav\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/malware-wav\\\/\"},\"author\":{\"name\":\"Tiago Jesus Da Conceiao\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/7250e455cd7fdfba15770f4d3fd54962\"},\"headline\":\"R\u00e9ponse \u00e0 incident : Comment un malware peut-il utiliser le format WAV pour d\u00e9ployer une charge malveillante ?\",\"datePublished\":\"2020-04-22T07:35:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/malware-wav\\\/\"},\"wordCount\":908,\"commentCount\":0,\"articleSection\":[\"CERT\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/malware-wav\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/malware-wav\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/malware-wav\\\/\",\"name\":\"WAV : dissimulation de charge malveillante - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"datePublished\":\"2020-04-22T07:35:45+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/7250e455cd7fdfba15770f4d3fd54962\"},\"description\":\"Lors d'une r\u00e9ponse \u00e0 incident, nous avons observ\u00e9 des fichiers WAV, initialement destin\u00e9s \u00e0 contenir des donn\u00e9es audio, \u00eatre utilis\u00e9s afin d\u2019ex\u00e9cuter des malwares.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/malware-wav\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/malware-wav\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/malware-wav\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"R\u00e9ponse \u00e0 incident : Comment un malware peut-il utiliser le format WAV pour d\u00e9ployer une charge malveillante ?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/7250e455cd7fdfba15770f4d3fd54962\",\"name\":\"Tiago Jesus Da Conceiao\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"caption\":\"Tiago Jesus Da Conceiao\"},\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/tiago-jesus-da-conceiao\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"WAV: Malicious payload concealment - INTRINSEC","description":"During an incident response, we observed WAV files, originally intended to contain audio data, being used to run malware.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/malware-wav\/","og_locale":"en_US","og_type":"article","og_title":"R\u00e9ponse \u00e0 incident : Comment un malware peut-il utiliser le format WAV pour d\u00e9ployer une charge malveillante ?","og_description":"Lors d'une r\u00e9ponse \u00e0 incident, nous avons observ\u00e9 des fichiers WAV, initialement destin\u00e9s \u00e0 contenir des donn\u00e9es audio, \u00eatre utilis\u00e9s afin d\u2019ex\u00e9cuter des malwares.","og_url":"https:\/\/www.intrinsec.com\/en\/malware-wav\/","og_site_name":"INTRINSEC","article_published_time":"2020-04-22T07:35:45+00:00","author":"Tiago Jesus Da Conceiao","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Tiago Jesus Da Conceiao","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/malware-wav\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/malware-wav\/"},"author":{"name":"Tiago Jesus Da Conceiao","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/7250e455cd7fdfba15770f4d3fd54962"},"headline":"R\u00e9ponse \u00e0 incident : Comment un malware peut-il utiliser le format WAV pour d\u00e9ployer une charge malveillante ?","datePublished":"2020-04-22T07:35:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/malware-wav\/"},"wordCount":908,"commentCount":0,"articleSection":["CERT"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intrinsec.com\/malware-wav\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/malware-wav\/","url":"https:\/\/www.intrinsec.com\/malware-wav\/","name":"WAV: Malicious payload concealment - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"datePublished":"2020-04-22T07:35:45+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/7250e455cd7fdfba15770f4d3fd54962"},"description":"During an incident response, we observed WAV files, originally intended to contain audio data, being used to run malware.","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/malware-wav\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/malware-wav\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/malware-wav\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"R\u00e9ponse \u00e0 incident : Comment un malware peut-il utiliser le format WAV pour d\u00e9ployer une charge malveillante ?"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/7250e455cd7fdfba15770f4d3fd54962","name":"Tiago Jesus Da Conceiao","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","caption":"Tiago Jesus Da Conceiao"},"url":"https:\/\/www.intrinsec.com\/en\/author\/tiago-jesus-da-conceiao\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/220764","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/33"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=220764"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/220764\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=220764"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=220764"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=220764"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}