An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|APT37||APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input. |
|Bandook||Bandook has modules that are capable of capturing audio. |
|Cobian RAT||Cobian RAT has a feature to perform voice recording on the victim’s machine. |
|DarkComet||DarkComet can listen in to victims' conversations through the system’s microphone.  |
|Derusbi||Derusbi is capable of performing audio captures. |
|DOGCALL||DOGCALL can capture microphone data from the victim's machine. |
|EvilGrab||EvilGrab has the capability to capture audio from a victim machine. |
|Flame||Flame can record audio using any existing hardware recording devices.  |
|InvisiMole||InvisiMole can record sound using input audio devices. |
|Janicab||Janicab captured audio and sent it out to a C2 server.  |
|jRAT||jRAT can capture microphone recordings. |
|MacSpy||MacSpy can record the sounds from microphones on a computer. |
|Micropsia||Micropsia can perform microphone recording. |
|NanoCore||NanoCore can capture audio feeds from the system.  |
|Pupy||Pupy can record sound with the microphone. |
|Remcos||Remcos can capture data from the system’s microphone. |
|Revenge RAT||Revenge RAT has a plugin for microphone interception.  |
|ROKRAT||ROKRAT has a audio capture and eavesdropping module. |
T9000 uses the Skype API to record audio and video calls. It writes encrypted data to
|VERMIN||VERMIN can perform audio capture. |
Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.
Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
- Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
- Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
- Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
- Brod. (2013, July 15). Signed Mac Malware Using Right-to-Left Override Trick. Retrieved July 17, 2017.
- Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
- Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
- TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
- Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
- GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
- FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.