Malware hackers using steganography in WAV audio files to hide malicious code

Originally published at:

1 Like

That sounds awful.


Holy shit, a nam-shub of crypto!


As I understand it, it still at least a two pill poison. The WAV files, are being used to send information to an already existent software that is decoding the information from the WAV files. The article doesn’t say the WAV files are exfiltrating data, but the software is “run-of-the-mill crypto-mining malware operation” and that would require that data leave host’s computer. At least one of the programs is a Windows executable.

Sources: See- Symantec on Water Bug - software noted in article. Found via a link in an article with original source attribution on
See also: Threat Vector @, notes it is a Windows executable.
Links found via Google and The linked ZDnet article does have lots of advertisements! For whatever reason when I clicked on the article the hyperlinks didn’t work, hence the links above plus I think they should be noted the BoingBoing original article.

Related and from my memory:

Ages ago there was an explosion of media playing applications that played proprietary formats supposedly for improvements to quality, control of data and (copyright/DRM), or just stupidity. Those formats were often just audio wrappers like AVI but way more irritating Thess containers were often just renamed clones of others, often with bits of data preventing them from being used in non-authorised platers. The thing was, they players and the containers could and sometimes did, contain malicious data and people often installed them and gave them the keys to kingdom to watch a video or play some music. If you took these containers apart one could find the native media files along with other poop, all not necessary for the files to be decoded, as the files themselves already had known extensions that noted the handedness and other data needed to decode and play the format.


This is the part that needs repeating.

Otherwise, the news will be running “OMG is your music collection selling you out to internet gangsters?” stories and making people afraid of music and not their initial compromise.


Thank you for quoting me. I don’t post links because I like pedantry, especially in this case. With just a little reading the author could explained how the WAV files were being used. The author then could have listed the ZDnet article as their jumping off point, but then also linked to the original sources- something BoingBoing seems to endorse and want others to do.

This technique could also a boon for getting information to those who may have traditional communication channels blocked. Steganalysis is difficult. There can be multiple information layers within the medium that is being interleaved. It could be used to get information to people have had their information blocked via normal channels. Even hidden in open air via pirate digital radio or live streamed, all that is needed is somebody to make software to encode and decode the messages and a way to get the software to those in need. That is all hypothetical - for now.


It’s very cool but not exactly new - Aphex Twin hid images in tracks back in the early 2000’s
see for some examples. The interesting bit is if they can get the malware to trigger something from the audio - if they’re just using it as a transport mechanism it’s interesting certainly but not new - you won’t get affected from listening to something - you’d have to already be compromised


On the plus side, it has a great beat and it’s easy to dance to.


so we’re not talking about toxic viral audio files that can b0rk your comput0rz if you listen to them

it’s just a really inefficient way to move code around


The article didn’t make mention of the technical specifications of the stenography. For example, were the attackers hiding the data in the unused bits of the WAV? Or was it a simple binary cat ?

I remember back in the early 2000s, people would hide data in JPG by just catting it to the end of the file. If you opened the JPG in a web browser, or even an image editing software, you’d just see the expected image with no corruption.


I TOLD those guys not to play music on the centrifuge controllers! :joy:


Who else read ‘steganography’ as ‘stenography’ and imagined some decades-old secretarial shorthand method being repurposed for malicious code? After understanding my mistake, I still think using stenography would be a more interesting story than this. As noted above, not a new technique at all.

1 Like

It IS possible, and has (rarely) been done in the past, to hide malware in (supposed) media containers that exploits specific playback software (usually Windows Media Player) to run arbitrary code. It never works, however, if you don’t use the intended client, or at least one that uses part of a code library you’re exploiting, so it never really gained much ground.

These days, actual executable malware code from a media file via media software is as vanishingly rare as CMOS viruses; they still exist, here and there, but ehh, whatever, you’re likely to never see one You’re far more likely to see a silly malware link, “You need a codec to play this file…” :smirk:

1 Like

Also, there is a piece of hardware that uses sound, not exactly hidden in the sound, to transfer data:

It sounds a lot like connecting to the internet on old modems.

This topic was automatically closed after 5 days. New replies are no longer allowed.