Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Video: Stego & Cryptominers - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Video: Stego & Cryptominers

A couple of months ago, I read a blog post about malware, cryptominers and WAV file steganography: malware authors are concealing cryptominers in sound files (WAV) using steganography. Each bit of the cryptominer executable is stored as the least-significant bit of each Pulse Code Modulation value (16-bit values in this example).

Here is the start of a WAV file embedding a cryptominer executable via steganography:

The byte values highlighted in red (and following), are signed 16-bit, little-endian values that encode PCM data. The least-significant bit of each 16-bit value encodes a single bit of the cryptominer executable.

When the least-significant bit is changed, the PCM value is only slightly different from the original value, and this change will not be perceptible to the human ear when the sound file is played.

I adapted my program to be able to extract bit streams from arbitrary data.

In this video, I show step-by-step how to extract the embedded executable (PE file) from the WAV file. The command I use in the video is:

./ -d -f "bitstream=f:<h,b:0,j:<" "#c#['data']+8:" DB043392816146BBE6E9F3FE669459FEA52A82A77A033C86FD5BC2F4569839C9.wav.vir | ./ -l P


Didier Stevens
Senior handler
Microsoft MVP


652 Posts
ISC Handler
Feb 2nd 2020

Sign Up for Free or Log In to start participating in the conversation!