Malicious WAV files can be used to deliver malware and cryptominers

Cryptocurrency
(Image credit: Shutterstock)

Security researchers have discovered a malware campaign that uses seemingly innocent audio files to deliver malicious code and cryptocurrency miners. WAV files with the malware hidden in them using steganography played as normal, giving no indication that there was anything wrong with them.

The malware-riddled files are sent out to victims via email, and once played will install and run a mining tool for the Monero cryptocurrency. In other cases, Metasploit code was used to open up a computer to remote attack.

Researchers Anuj Soni, Jordan Barth and Brian Marks from BlackBerry Cylance are the trio who made the discovery. "Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file's audio data," they explained. "When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise).

"Our analysis reveals some of the WAV files contain code associated with the XMRig Monero CPU miner. Others included Metasploit code used to establish a reverse shell. Both payloads were discovered in the same environment, suggesting a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network".

Hiding in the music

The encoding and obfuscations used to encode the malware into the audio files makes it very difficult to detect. While the examples discovered by BlackBerry Cylance researchers made use of audio files, they warn that the same techniques could be used to hide malware in any type of file.

A detailed write-up of how the attack works can be found on the Threat Vector website.

Sofia Elizabella Wyciślik-Wilson
Freelance writer

Sofia is a tech journalist who's been writing about software, hardware and the web for nearly 25 years – but still looks as youthful as ever! After years writing for magazines, her life moved online and remains fueled by technology, music and nature.


Having written for websites and magazines since 2000, producing a wide range of reviews, guides, tutorials, brochures, newsletters and more, she continues to write for diverse audiences, from computing newbies to advanced users and business clients. Always willing to try something new, she loves sharing new discoveries with others.


Sofia lives and breathes Windows, Android, iOS, macOS and just about anything with a power button, but her particular areas of interest include security, tweaking and privacy. Her other loves include walking, music, her two Malamutes and, of course, her wife and daughter.


You can find her on Twitter and Mastodon.