JUST RELEASED: ATT&CK for Industrial Control Systems

Audio Capture

An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

ID: T1123
Tactic: Collection
Platform: Linux, macOS, Windows
Permissions Required: User
Data Sources: API monitoring, Process monitoring, File monitoring
CAPEC ID: CAPEC-634
Version: 1.0
Created: 31 May 2017
Last Modified: 18 June 2019

Procedure Examples

Name Description
APT37

APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.[28]

Bandook

Bandook has modules that are capable of capturing audio.[22]

Cobian RAT

Cobian RAT has a feature to perform voice recording on the victim’s machine.[17]

DarkComet

DarkComet can listen in to victims' conversations through the system’s microphone.[20][21]

Derusbi

Derusbi is capable of performing audio captures.[5]

DOGCALL

DOGCALL can capture microphone data from the victim's machine.[19]

EvilGrab

EvilGrab has the capability to capture audio from a victim machine.[6]

Flame

Flame can record audio using any existing hardware recording devices.[12][13]

InvisiMole

InvisiMole can record sound using input audio devices.[18]

Janicab

Janicab captured audio and sent it out to a C2 server.[15][16]

jRAT

jRAT can capture microphone recordings.[23]

Machete

Machete captures audio from the computer’s microphone. [27]

MacSpy

MacSpy can record the sounds from microphones on a computer.[8]

Micropsia

Micropsia can perform microphone recording.[14]

NanoCore

NanoCore can capture audio feeds from the system.[9][10]

PowerSploit

PowerSploit's Get-MicrophoneAudio Exfiltration module can record system microphone audio.[3][4]

Pupy

Pupy can record sound with the microphone.[1]

Remcos

Remcos can capture data from the system’s microphone.[2]

Revenge RAT

Revenge RAT has a plugin for microphone interception.[24][25]

ROKRAT

ROKRAT has a audio capture and eavesdropping module.[26]

T9000

T9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype.[7]

VERMIN

VERMIN can perform audio capture.[11]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.

Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.

References