Cybersecurity researchers at Cyclance found new crypto mining obfuscation technique employed by hackers. They suggested that hackers are embedding crypto mining software in WAV format music files available online. The files play without any hassles and download without any corruption. However, they obfuscate malware that hacks into the user’s computing resources.
Sophisticated Attack Techniques
Hackers are using increasingly sophisticated technologies to get hold of user’s systems and make unauthorized use of their resources. Cylance researchers have now found strains of malware in WAV audio files. These files play without issues on a system, but some of them may generate some static noise. Once a user downloads and opens the corrupt file, the in-built XMRig Monero CPU mining program is executed.
The strain comes with decoders for executing the worm and a Least Significant Bit (LSB) stenography code. These applications use Docker, a platform-as-a-service (PaaS) product that could deliver software programs in containers for OS-level virtualization.
Dockers and Containers Commonly Used in Hacks
Dockers come with a container that comes with their own sets of software bundles. They may contain configuration files, libraries and usually isolated from other containers. Containers could be more efficient methods of virtualization and do not require a virtual machine setup. They also come with an extra encryption layer exploited by hackers to slip in a malicious program without changing the structural components of the files. This allows detection of malware extremely hard for traditional endpoint antivirus software.
Recently, the Palo Alto Networks group detected a crypto-jacking worm which used a similar platform-as-a-service (PaaS) exploit to deploy malicious applications on Linux and Windows platforms. The malware can spread easily because of Docker applications as security systems find them difficult to detect. The virus to known to scan networks autonomously and detects random hosts which it could connect with using its command server.