Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Audio Capture
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Audio Capture
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Audio Capture

An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019) Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

ID: T1123
Tactic(s): Collection
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, Process: OS API Execution
Version: 1.0
Created: 31 May 2017
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
DOGCALL

DOGCALL can capture microphone data from the victim's machine.(Citation: Unit 42 Nokki Oct 2018)
PowerSploit

PowerSploit's Get-MicrophoneAudio Exfiltration module can record system microphone audio.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)
Janicab

Janicab captured audio and sent it out to a C2 server.(Citation: f-secure janicab)(Citation: Janicab)
EvilGrab

EvilGrab has the capability to capture audio from a victim machine.(Citation: PWC Cloud Hopper Technical Annex April 2017)
Crimson

Crimson can perform audio surveillance using microphones.(Citation: Kaspersky Transparent Tribe August 2020)
Machete

Machete captures audio from the computer’s microphone.(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)
InvisiMole

InvisiMole can record sound using input audio devices.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
VERMIN

VERMIN can perform audio capture.(Citation: Unit 42 VERMIN Jan 2018)
DarkComet

DarkComet can listen in to victims' conversations through the system’s microphone.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)
LightSpy

LightSpy uses Apple's built-in AVFoundation Framework library to capture and manage audio recordings then transform them to JSON blobs for exfiltration.(Citation: Huntress LightSpy macOS 2024)
ROKRAT

ROKRAT has an audio capture and eavesdropping module.(Citation: Securelist ScarCruft May 2019)
Remcos

Remcos can capture data from the system’s microphone.(Citation: Fortinet Remcos Feb 2017)
Bandook

Bandook has modules that are capable of capturing audio.(Citation: EFF Manul Aug 2016)
T9000

T9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype.(Citation: Palo Alto T9000 Feb 2016)
Micropsia

Micropsia can perform microphone recording.(Citation: Radware Micropsia July 2018)
Attor

Attor's has a plugin that is capable of recording audio using available input sound devices.(Citation: ESET Attor Oct 2019)
Imminent Monitor

Imminent Monitor has a remote microphone monitoring capability.(Citation: Imminent Unit42 Dec2019)(Citation: QiAnXin APT-C-36 Feb2019)
NightClub

NightClub can load a module to leverage the LAME encoder and `mciSendStringW` to control and capture audio.(Citation: MoustachedBouncer ESET August 2023)
Derusbi

Derusbi is capable of performing audio captures.(Citation: FireEye Periscope March 2018)
MgBot

MgBot can capture input and output audio streams from infected devices.(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2023)
Cadelspy

Cadelspy has the ability to record audio from the compromised host.(Citation: Symantec Chafer Dec 2015)
Cobian RAT

Cobian RAT has a feature to perform voice recording on the victim’s machine.(Citation: Zscaler Cobian Aug 2017)
NanoCore

NanoCore can capture audio feeds from the system.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016)
TajMahal

TajMahal has the ability to capture VoiceIP application audio on an infected host.(Citation: Kaspersky TajMahal April 2019)
Revenge RAT

Revenge RAT has a plugin for microphone interception.(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)
MacMa

MacMa has the ability to record audio.(Citation: Objective-See MacMa Nov 2021)
Pupy

Pupy can record sound with the microphone.(Citation: GitHub Pupy)
jRAT

jRAT can capture microphone recordings.(Citation: Kaspersky Adwind Feb 2016)
MacSpy

MacSpy can record the sounds from microphones on a computer.(Citation: objsee mac malware 2017)
Flame

Flame can record audio using any existing hardware recording devices.(Citation: Kaspersky Flame)(Citation: Kaspersky Flame Functionality)
APT37

APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.(Citation: FireEye APT37 Feb 2018)

Mitigations
Mitigation Description
Audio Capture Mitigation

Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Identify and block potentially malicious software that may be used to record audio by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.

References

  1. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  2. Brod. (2013, July 15). Signed Mac Malware Using Right-to-Left Override Trick. Retrieved July 17, 2017.
  3. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  4. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  5. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  6. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  7. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  8. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  9. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  10. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  11. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  12. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  13. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
  14. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  15. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  16. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  17. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  18. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  19. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
  20. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
  21. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
  22. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
  23. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  24. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
  25. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  26. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  27. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  28. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  29. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  30. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  31. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  32. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  33. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  34. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  35. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  36. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  37. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  38. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024.
  39. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  40. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  41. Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025.
  42. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.