Hackers are Embedding Crypto Mining Malware in Music Files

  • Cybersecurity researchers have found malware that’s embedded in WAV music files.
  • The Coinhive demise did not stop the spread of cryptojacking attacks.
  • Hackers are coming up with more sophisticated cryptomining vector attacks.

Hackers are using advanced obfuscation techniques to embed malware in music files. According to Cylance, strains of malware have been found embedded in WAV audio files. They appear uncorrupted and play just fine, although some generate static noise.

Once the files are downloaded or opened, malicious code containing the XMRig Monero CPU miner is executed. The malware is reported to consist of two main components, a Least Significant Bit (LSB) stenography code, and decoders to execute the worm.

Docker is a set of platform-as-a-service (PaaS) products that use OS-level virtualization to deliver software in packages called containers. Containers are isolated from one another and bundle their own software, libraries and configuration files; they can communicate with each other through well-defined channels. All containers are run by a single operating-system kernel and are thus more lightweight than virtual machines.

The extra layer of encryption enables malware to be embedded in any file without the attacker having to compromise its structural components. This makes detection extremely hard.

The news comes in the wake of another cryptojacking worm discovery by the Palo Alto Networks group. It exploits the platform-as-a-service (PaaS) solution that’s used by software developers to test and deploy applications on both Windows and Linux platforms.

Docker allows apps to run in a separate virtual environment from other windows applications, allowing developers to run applications on shared system resources. Many of the infected files were found in the Docker Community library. Some had been downloaded as many as 16,000 times. They have since been removed.

Endpoint security systems rarely inspect container applications such as Docker for malicious code and this allows for malware to spread. According to the Unit 42 report, the virus autonomously continues to scan networks for vulnerabilities after it is deployed and continues to infect random hosts while staying in contact with its command server.

Many of the discovered infected Docker images retained their functionality but featured a backdoor that allowed the infiltration of infected machines.

The Cryptojacking menace is Evolving

Cryptojacking attacks spiked in 2017 in tandem with the crypto mining fever. The rise of bitcoin prices led to an escalation in market capitalization, which subsequently led to the popularity of privacy-centric coins such as Monero. The development of mining codes such as Coinhive, which allowed webmasters to harness visitor CPU power, contributed greatly to the rise of cryptojacking attacks.

Monero (/məˈnɛroʊ/; XMR) is an open-source cryptocurrency created in April 2014 that focuses on fungibility, privacy and decentralization. The privacy afforded by Monero has attracted use by people interested in evading law enforcement during events such as the WannaCry Ransomware Attack, or on the dark web buying illegal substances.

As of March 2018, cryptojacking attacks were a leading security issue. Coinhive closed its doors in March this year, causing the number of reported incidences to drop momentarily. Fast forward to the present and researchers are stumbling upon more advanced mining codes that utilize native system processes such as PowerShell to avoid detection.

McAfee’s August cybersecurity report proclaimed a 29 percent increase in cryptojacking attacks during the first quarter of this year. Among the most common cryptojacking miners was PsMiner, a type of malware that attacks servers running applications like Hadoop, Redis, SqlServer, ElasticSearch, ThinkPHP, Spring, and Weblogic.

The document also highlighted the capabilities of a new multi-purpose family of miners such as CookieMiner. This new strain of cryptojackers can also be used to steal credentials, including passwords, when users access crypto platforms such as Bitstamp, Binance, Bittrex, Coinbase, and MyEtherWallet via infected systems. CookieMiner apparently achieves this through Empyre backdoor integration.

Crypto Destroyer

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.