I’m not even convinced the audiod thing is Regin; whatever is going on is way less sophisticated even based on what the OP posted from volatility. I don’t think the hash they gave vx-underground is even from the sample from the original screenshots.
I think this person is just karma/clout farming badly and the screenshots are of some even more basic RAT.
He hasn't actually confirmed that the image he's processing is recent or if it was a test image and by "I found", he means he was able to find the thing that was known to be there. The Twitter thread has some people asking for clarification and none have been received yet.
I’m not sure this isn’t just some garden variety RAT that was named “audiod.exe”? The author seems kind of confused; there’s nothing driver related I can see here. They claim the malware was “injected” into a legitimate process, but the Microsoft audio graph process is “audiodg.exe”
Interesting that the malware author isn't using actual compressed audio (No idea why the Twitter poster seems to think wave files are compressed) I would assume that you'd want to transmit as little data to evade detection.
.wav files are RIFF containers of type 'WAVE'. These files can contain many different types of RIFF chunks, but the required chunks are a 'fmt ' (format information) and 'data' (audio payload). The format chunk describes the encoding of the audio payload data, among other information (channel count, sample rate).[0]
Although .wav files are, today, typically used for non-compressed PCM data (WAVE_FORMAT_PCM), even the original 1991 RIFF specification allowed for three compressed formats: mu-law, a-law, ADPCM.[1] These are all efficient to compute and I don't find it completely implausible that such low quality compression would be used. Modern .wav files may use the WAVEFORMATEX or WAVEFORMATEXTENSIBLE chunk, which uses GUIDs to identify formats. It supports the original compressed WAVE formats,[2] but also more modern compressed formats. Here is For example, here is Microsoft's list of sub-format GUIDs (includes MPEG formats and AC-3):
https://en.wikipedia.org/wiki/Regin_(malware)
I think this person is just karma/clout farming badly and the screenshots are of some even more basic RAT.
Interesting that the malware author isn't using actual compressed audio (No idea why the Twitter poster seems to think wave files are compressed) I would assume that you'd want to transmit as little data to evade detection.
Although .wav files are, today, typically used for non-compressed PCM data (WAVE_FORMAT_PCM), even the original 1991 RIFF specification allowed for three compressed formats: mu-law, a-law, ADPCM.[1] These are all efficient to compute and I don't find it completely implausible that such low quality compression would be used. Modern .wav files may use the WAVEFORMATEX or WAVEFORMATEXTENSIBLE chunk, which uses GUIDs to identify formats. It supports the original compressed WAVE formats,[2] but also more modern compressed formats. Here is For example, here is Microsoft's list of sub-format GUIDs (includes MPEG formats and AC-3):
https://learn.microsoft.com/en-us/windows-hardware/drivers/a...
[0] https://en.wikipedia.org/wiki/WAV
[1] https://www.aelius.com/njh/wavemetatools/doc/riffmci.pdf heading "WAVE Format Categories".
[2] https://learn.microsoft.com/en-us/windows-hardware/drivers/d...