1. Home
  2. Techniques
  3. Enterprise
  4. 音频捕获

音频捕获

ID Name
T1123.001 内存驻留音频捕获
T1123.002 合法语音服务寄生录音
T1123.003 环境噪声自适应音频截取
T1123.004 加密语音信道渗透录音

音频捕获技术指攻击者通过软硬件手段非法获取目标设备周围声学信息的情报收集行为,通常利用操作系统API或应用程序接口访问麦克风等音频输入设备。防御措施主要依赖检测异常进程的录音权限获取行为、监控可疑音频文件生成,以及分析应用程序的非常规API调用模式。由于合法语音应用普遍需要持续访问音频设备,准确区分恶意行为存在较高误报风险。

为规避传统检测机制,攻击者发展出新型音频捕获匿迹技术,通过重构数据存储介质、寄生合法应用流程、融合环境声学特征及渗透加密信道等手法,将窃取行为深度嵌入正常语音交互场景,显著降低设备层、应用层和网络层的可观测性。

当前音频捕获匿迹技术的共性在于攻击链路的全环节隐形重构。攻击者突破传统物理设备控制模式,转向内存、加密信道和应用逻辑层构建窃取路径:内存驻留技术消除磁盘写入痕迹,使数据生命周期完全处于易失性存储空间;合法服务寄生技术将恶意代码植入可信应用进程,获得系统安全机制的默认放行;环境自适应技术通过上下文感知动态调节攻击强度,实现窃取行为与物理环境的特征同步;加密信道渗透技术则利用通信端点的信任关系,在安全边界内部实施数据截获。这些技术均采用"逻辑层寄生"策略,将攻击行为深度绑定在合法功能实现流程中,使得基于单点异常指标(如麦克风激活时长)或静态特征匹配的检测方法失效。

匿迹技术的演进导致传统基于设备使用监控、文件特征检测的防御体系面临严峻挑战,防御方需构建多维行为基线模型,实施从物理传感器到应用逻辑层的全链路监控,并引入声纹生物特征分析技术,实现对隐蔽音频窃取行为的精准识别与阻断。

ID: T1123
Sub-techniques:  T1123.001, T1123.002, T1123.003, T1123.004
Tactic: 信息收集
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 31 May 2017
Last Modified: 15 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过劫持合法语音应用的录音功能,使恶意音频捕获行为在进程签名、API调用链等维度与正常业务操作完全一致。例如寄生在视频会议软件中时,录音模块的线程调度、内存访问模式均符合应用正常行为特征,有效规避基于进程行为分析的检测系统。

数据遮蔽

采用端到端加密信道渗透技术时,攻击者通过在加密流量解密瞬间实施内存窃取,确保网络传输层始终维持加密状态。同时使用自定义加密协议传输窃取内容,使得网络流量分析无法直接获取有效载荷,实现双重数据遮蔽效果。

时空释痕

环境自适应录音技术通过动态调整捕获频率和时长,使设备激活模式呈现间歇性、低强度的特征。结合合法语音服务的自然使用周期,将窃取行为的时间特征稀释在用户正常交互过程中,显著降低基于时间序列异常检测的发现概率。

Procedure Examples

ID Name Description
G0067 APT37

APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.[1]
S0438 Attor

Attor's has a plugin that is capable of recording audio using available input sound devices.[2]
S0234 Bandook

Bandook has modules that are capable of capturing audio.[3]
S0454 Cadelspy

Cadelspy has the ability to record audio from the compromised host.[4]
S0338 Cobian RAT

Cobian RAT has a feature to perform voice recording on the victim’s machine.[5]
S0115 Crimson

Crimson can perform audio surveillance using microphones.[6]
S0334 DarkComet

DarkComet can listen in to victims' conversations through the system’s microphone.[7][8]
S0021 Derusbi

Derusbi is capable of performing audio captures.[9]
S0213 DOGCALL

DOGCALL can capture microphone data from the victim's machine.[10]
S0152 EvilGrab

EvilGrab has the capability to capture audio from a victim machine.[11]
S0143 Flame

Flame can record audio using any existing hardware recording devices.[12][13]
S0434 Imminent Monitor

Imminent Monitor has a remote microphone monitoring capability.[14][15]
S0260 InvisiMole

InvisiMole can record sound using input audio devices.[16][17]
S0163 Janicab

Janicab captured audio and sent it out to a C2 server.[18][19]
S0283 jRAT

jRAT can capture microphone recordings.[20]
S0409 Machete

Machete captures audio from the computer’s microphone.[21][22][23]
S1016 MacMa

MacMa has the ability to record audio.[24]
S0282 MacSpy

MacSpy can record the sounds from microphones on a computer.[25]
S1146 MgBot

MgBot can capture input and output audio streams from infected devices.[26][27]
S0339 Micropsia

Micropsia can perform microphone recording.[28]
S0336 NanoCore

NanoCore can capture audio feeds from the system.[29][30]
S1090 NightClub

NightClub can load a module to leverage the LAME encoder and mciSendStringW to control and capture audio.[31]
S0194 PowerSploit

PowerSploit's Get-MicrophoneAudio Exfiltration module can record system microphone audio.[32][33]
S0192 Pupy

Pupy can record sound with the microphone.[34]
S0332 Remcos

Remcos can capture data from the system’s microphone.[35]
S0379 Revenge RAT

Revenge RAT has a plugin for microphone interception.[36][37]
S0240 ROKRAT

ROKRAT has an audio capture and eavesdropping module.[38]
S0098 T9000

T9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype.[39]
S0467 TajMahal

TajMahal has the ability to capture VoiceIP application audio on an infected host.[40]
S0257 VERMIN

VERMIN can perform audio capture.[41]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
DS0009 Process OS API Execution

Monitor for API calls associated with leveraging a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

References

  1. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  2. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  3. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
  4. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  5. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  6. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  7. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  8. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  9. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  10. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  11. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  12. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  13. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
  14. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
  15. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  16. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  17. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  18. Brod. (2013, July 15). Signed Mac Malware Using Right-to-Left Override Trick. Retrieved July 17, 2017.
  19. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
  20. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  21. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  1. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  2. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  3. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
  4. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  5. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  6. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  7. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  8. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  9. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  10. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  11. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  12. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  13. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  14. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  15. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  16. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
  17. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  18. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  19. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  20. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.