An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.[1]
Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
ID | Name | Description |
---|---|---|
G0067 | APT37 |
APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.[2] |
S0438 | Attor |
Attor's has a plugin that is capable of recording audio using available input sound devices.[1] |
S0234 | Bandook | |
S0454 | Cadelspy |
Cadelspy has the ability to record audio from the compromised host.[4] |
S0338 | Cobian RAT |
Cobian RAT has a feature to perform voice recording on the victim’s machine.[5] |
S0115 | Crimson |
Crimson can perform audio surveillance using microphones.[6] |
S0334 | DarkComet |
DarkComet can listen in to victims' conversations through the system’s microphone.[7][8] |
S0021 | Derusbi | |
S0213 | DOGCALL |
DOGCALL can capture microphone data from the victim's machine.[10] |
S0152 | EvilGrab |
EvilGrab has the capability to capture audio from a victim machine.[11] |
S0143 | Flame |
Flame can record audio using any existing hardware recording devices.[12][13] |
S0434 | Imminent Monitor |
Imminent Monitor has a remote microphone monitoring capability.[14][15] |
S0260 | InvisiMole |
InvisiMole can record sound using input audio devices.[16][17] |
S0163 | Janicab |
Janicab captured audio and sent it out to a C2 server.[18][19] |
S0283 | jRAT | |
S0409 | Machete |
Machete captures audio from the computer’s microphone.[21][22][23] |
S1016 | MacMa | |
S0282 | MacSpy |
MacSpy can record the sounds from microphones on a computer.[25] |
S1146 | MgBot |
MgBot can capture input and output audio streams from infected devices.[26][27] |
S0339 | Micropsia | |
S0336 | NanoCore | |
S1090 | NightClub |
NightClub can load a module to leverage the LAME encoder and |
S0194 | PowerSploit |
PowerSploit's |
S0192 | Pupy | |
S0332 | Remcos | |
S0379 | Revenge RAT |
Revenge RAT has a plugin for microphone interception.[36][37] |
S0240 | ROKRAT | |
S0098 | T9000 |
T9000 uses the Skype API to record audio and video calls. It writes encrypted data to |
S0467 | TajMahal |
TajMahal has the ability to capture VoiceIP application audio on an infected host.[40] |
S0257 | VERMIN |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments for actions that can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. |
DS0009 | Process | OS API Execution |
Monitor for API calls associated with leveraging a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. |