New Malware Hides Inside Audio Files

John Lister's picture

Most people know not to open an executable file or document attached to an email unless they were expecting it. But a new example of malware means even an audio file could trigger a payload.

Researchers at Blackberry Cylance Threat recently uncovered malicious code hidden inside WAV files. That's a computer format for audio that was common for music on PCs before MP3 became established.

The attackers are using a technique called steganography, which is a way to hide a file inside another file in a way that normally cannot be detected. Steganography has previously been used in image files, and has reportedly been used by Osama bin Laden to hide maps and instructions, which were then downloaded by his followers using the Internet.

Infopackets has discussed this topic as far back as 2003:

Changed Digits Hide Malware

Technically speaking, steganography is a simple concept that can be challenging to pull off in reality.

It appears in this case that the attackers were able to change certain digits in each section of the audio file code with a digit of their choice. Combining these changed digits gives a sequence of code that make up the malware.

The key is that the attackers deliberately choose the least important digits in the audio file code to change, meaning that it's not obvious that anything is amiss. At the most basic, the idea is to make sure the computer still reads it as an audio files. At best, somebody playing back the audio wouldn't spot anything amiss.

The researchers found that some files played back as normal-sounding audio. In others it just sounded like white noise.

Processors Could Be Hijacked

The various code the researchers spotted fell in to two categories.

First, some of the embedded malware was used as a CPU miner. That's where criminals remotely hijack a computer's processor to try to verify transactions of digital "cryptocurrencies" such as Bitcoin.

Whichever machine is able to verify a particular batch of transactions is rewarded with a unit of the currency, so hijacking multiple computers can be profitable for cyber criminals that are in control of hundreds of thousands hijacked machines. This is referred to as a botnet, which is also often used for spamming.

Secondly, other code formed a "reverse shell" - a way for malware to collect and then pass on data from a computer to the attacker. An example of a reverse shell would be a remote access backdoor often used by Indian tech support scammers, as previously discussed in the review. (Source:

In both cases, the researchers said the malware itself resembled that used in other attacks. They weren't sure if this suggested it was the same people responsible or if the new attackers were trying to shift suspicion. (Source:

What's Your Opinion?

How do you decide whether to open email attachments? Would you be less suspicious of an audio file? Do you scan files with security software before opening them?

Rate this article: 
Average: 5 (7 votes)


DavidInMississippi's picture

So how do we protect ourselves? If we right-click on a WAV file and select "Scan for Malware" from the context menu, will Windows Defender catch this?

Dennis Faas's picture

I believe whether or not it is exploitable depends on the program associated with the exploit. For example, Windows Media Player may play the sound file and execute the malicious code, whereas VLC may handle it differently and not allow the exploit to take place.

jamies's picture

Malware can be in any media that can contain data
indeed, consider the malware was probably created using a keyboard.

The major problem is not that malware exists, or can be hidden.
It is that some of the software running on peoples systems is so badly designed and written that it will actually run code that is in files on the system.

Consider macro code scripts that can be in Office, and even command files that windows runs
even .reg files that contain settings to be included in the system control files.

Sort of like you getting a letter that says - send all your money to the following person using Western Union.

You can just read the words on the letter, and then sensibly get on with doing somethin else.
You can read the words, and then gather your resources and do what you think the words indicate.
- The first option is what the OS and associated code as well as installed drivers and apps should do, with the anti-malware checkers reporting the finding of that code - even though with well designed and written code the bad instructions should NOT be performed.
- The second option seems to be what some of the Microsoft Windows, and associated code, drivers etc. will do.

As in who has installed additional apps to process .wav files, when the Windows OS you paid for has a facility built into it to do that.

This sort of malware approach should NOT be usable if the programs on the PC (tablet, phone etc) have been created with appropriate concern for the financial and lifestyle safety of customer/user who is paying for the facility.

That goes along with the recent proliferation of web pages with:
Advertisements that push down entries below the add so moving the advertisement site/page selection area to where the "Next" or "close" selection area was initially shown.
And the idea that images should always be re-downloaded every time you open up a page that would show that image

Remember that any page you open on a device can be a link to malware, and the current page handling software seems designed to allow the page selected to run code on your system.

That design meaning that there is more work for the malware management software to do, and consequently more need for a device owner to pay for such software, either as an additional facility, or as part of the operating system environment.

That's why YOU should ALWAYS update to the latest versions of the OS, and software
If you just ran safe software, then there would be none of the 'urgency' to get the latest anti-malware software.

Then, while that is a good concept, where are you going to get safe software, and not have it altered by the supplier introducing new features with new opportunities for malware code to be executed (as in run, rather than killed on the spot).

rohnski's picture

computers is stupid peoples ...
You tell them to jump off a cliff, it's bombs away.

So yes, while malware is like instructions embedded in a letter, the embedding is hidden.

While a reasonable person reading a letter that includes instructions to send their bank account information to a scammer in russia will ignore those instructions, scammers are making BILLIONS of dollars a year making exactly that request on computers.

Steganography is like changing the last letter of every word (just for discussion sake, lets say every word over 5 or 6 characters long). The malware knows to pick up just those characters to re-assemble it's full instructions. The "average" reader will be able to reasonably guess meaning of the words, just assuming the writer is moron, or a bad typist. ie
<snip >
Tehse wrods may look lkie nosnesne, but yuo can raed tehm, cna't yuo?

In computer steganography, changing the last "bit" of a color or sound "byte" will make a trivial change on playback. The computer won't even know that the color or sound has been changed, and the 'AVERAGE' viewer is also not going to be able to tell the differnce.

In the computer, "discretion" to idenfity invalid "malware" instructions is provided by anti-malware programs like Defender in Win 10. The anti-malware program has to be told how to identify all of the various types of malware. Trying to identify audio or image steganography is VERY difficult unless there is some sort of "flag" or "signature" embedded in the infected file that the malware uses to idenfity files with embedded instructions. Or if the steganography is applied "slopily", so that it affects significant parts of the file that it should not have touched.