Audio Capture (T1123)

Written By Jeremy Pickett
Security is always excessive until it’s not enough.
— Robbie Sinclair

Audio Capture Attacks

MITRE ATT&CK Technique ID: T1123

  • Overview: The technique identified by MITRE ATT&CK as T1123 is known as "Audio Capture." This technique involves the adversary using malware or other malicious tools to intercept and record audio from a system's microphone.

The primary purpose of this technique is to eavesdrop on conversations or capture other ambient sounds that may be of interest to the attackers.

Objective: The goal of this activity is often to gather sensitive information, such as confidential discussions, strategic business plans, personal information, or other data that can be exploited for further attacks, espionage, or blackmail.

How it works:

  • Once the malware or malicious software is deployed on a target system, it can gain access to the system's microphone.

  • The malware may operate covertly, meaning that the user may not be aware that their microphone is being activated or that audio is being recorded.

  • The captured audio files are often compressed and encrypted before being exfiltrated to the attacker's server for analysis or other malicious purposes.

  • Some malware may also use this technique in conjunction with other data capture methods, such as screen capture or keylogging, to provide a more comprehensive set of data to the adversary.

Targets

  • The targets of this technique can vary widely, including individuals, businesses, and government entities.

  • High-value targets often include executives, diplomats, activists, and anyone who might have sensitive or strategically important information.

Associated Threat Actors:

  • This technique is often associated with advanced persistent threats (APTs), state-sponsored hackers, and cybercriminal organizations.

  • Some notable examples include groups that are known to engage in cyber espionage or those that aim to influence or disrupt by gathering intelligence.

Defense and Mitigation:

  • Software and Firmware Security: Regularly updating software and firmware can prevent exploitation of known vulnerabilities that could be used to deploy malware.

  • Microphone Control: Implementing strict controls on microphone access, including using hardware switches, or software-based permissions, can limit unauthorized access.

  • Detection Tools: Use endpoint detection and response (EDR) solutions that can monitor for unusual behavior related to microphone use.

  • Education and Awareness: Train users to recognize phishing attacks and other social engineering tactics that might lead to malware installation.

Related Techniques:

  • T1113 (Screen Capture)

  • T1119 (Automated Collection)

  • T1125 (Video Capture)

Notable Attacks and Campaigns

Operation Ke3chang / APT15

Timeline: Active since at least 2010

Details: Chinese group targeting European diplomatic and industrial entities with malware like RoyalCli and RoyalDNS to capture audio.

Technical Implementation:

  • Audio capture modules in malware

  • Microphone control via encoded C2 commands

DarkHotel

Timeline: Ongoing since at least 2007

  • Details: Targets high-value hotel guests with backdoors capable of audio spying.

  • Technical Implementation:

    • Backdoors with audio capture features aimed at targeted surveillance

Turla (Snake / Uroburos)

  • Timeline: Active since at least 2008

  • Details: Russian group using sophisticated malware like Snake to record audio.

  • Technical Implementation:

    • Snake malware for audio recording and exfiltration

    • Control via C2 infrastructure

FinFisher / FinSpy

  • Timeline: Discovered around 2011

  • Details: Commercial spyware used by various government and law enforcement agencies with audio capture capabilities.

  • Technical Implementation:

    • FinSpy modules for audio capture

    • Recordings sent to C2 servers

Key People and Groups

  • APT15 / Ke3chang: Chinese group, government-linked, focuses on espionage with sophisticated malware development.

  • DarkHotel: Targets high-profile individuals, focusing on intelligence gathering.

  • Turla (Snake / Uroburos): Russian group, government-linked, focuses on geopolitical intelligence.

  • FinFisher: Sold by Gamma Group, used by nation-state actors and law enforcement.

Publicly Available Technical Details

APT Group Malware and Tools
APT15 / Ke3chang
  • Also known as: Mirage, Vixen Panda, GREF, Playful Dragon
  • Believed to be China-based
  • Active since at least 2010
  • Targets: Government, defense, technology sectors
 Malware:
  • RoyalCli: Remote access trojan with file operations, shell commands
  • RoyalDNS: DNS tunneling backdoor for data exfiltration
  • BS2005: Keylogger and information stealer
Tools:
  • Encoded C2 commands for managing audio capture
  • Custom network protocol for covert communications
  • DLL side-loading techniques for persistence
DarkHotel
  • Also known as: Fallout Team, APT-C-06, TAPAOUX
  • Believed to be Korean-speaking group
  • Active since at least 2007
  • Targets: Business executives, government officials
 Malware:
  • Custom backdoors with audio recording capabilities
  • Inexsmar: Modular malware for espionage
  • DOTHAT: Trojan for file system operations
Tools:
  • Remote access tools with microphone control
  • Zero-day exploits for Adobe Flash and Microsoft Internet Explorer
  • Social engineering techniques, including spear-phishing emails
Turla
  • Also known as: Snake, Uroburos, Venomous Bear, Waterbug
  • Believed to be Russian-speaking group
  • Active since at least 2008
  • Targets: Government, military, research institutions
 Malware:
  • Snake (Uroburos): Sophisticated rootkit with audio capture
  • Carbon: Modular backdoor system
  • Mosquito: Information-stealing trojan
Tools:
  • Rootkits and backdoors for audio recording
  • Satellite-based command and control infrastructure
  • LightNeuron: Exchange backdoor for email interception
FinFisher
  • Also known as: FinSpy, Wingbird
  • Commercial spyware developed by Gamma Group
  • Used by government agencies worldwide
  • Targets: Dissidents, journalists, human rights activists
 Malware:
  • FinSpy: Multi-platform spyware suite
  • FinFly USB: Tool for physical infection via USB drives
Tools:
  • Comprehensive spyware suite enabling microphone access
  • Remote monitoring of encrypted communications (Skype, etc.)
  • Keylogging and screen capture capabilities
  • GPS tracking for mobile devices

Remediation

Windows Environments

  1. Review and Audit Installed Applications:

    1. Open Control Panel > Programs and Features.

    2. Review installed applications and uninstall suspicious software.

    3. Use PowerShell to list installed software:

      Get-WmiObject -Class Win32_Product | Select-Object -Property Name

  2. Manage Microphone Permissions:

    1. Go to Settings > Privacy > Microphone.

    2. Disable microphone access for non-essential apps.

  3. Use Group Policy to Control Permissions:

    1. Open Group Policy Editor (gpedit.msc).

    2. Navigate to Computer Configuration > Administrative Templates > Windows Components > App Privacy.

    3. Set "Let Windows apps access the microphone" to Disabled.

  4. Endpoint Detection and Response (EDR):

    1. Deploy an EDR solution to monitor and detect unusual audio capture activities.

    2. Configure alerts for unauthorized microphone access.

macOS

  1. Audit Installed Applications:

    1. Go to System Preferences > Users & Groups > Login Items.

    2. Review startup items and remove suspicious entries.

    3. Use Terminal to list installed applications:

      ls /Applications

  2. Manage Microphone Permissions:

    1. Navigate to System Preferences > Security & Privacy > Privacy > Microphone.

    2. Revoke microphone access for unnecessary applications.

  3. Use MDM to Enforce Microphone Policies:

    1. Utilize Mobile Device Management (MDM) to enforce microphone access policies.

    2. Use a script to revoke microphone permissions:

      tccutil reset Microphone

  4. Deploy EDR Solutions:

    1. Implement EDR tools to monitor and report unauthorized microphone access.

    2. Set up automated alerts for suspicious activities.

Linux

  1. Review Running Processes:

    1. Use ps aux to list running processes and identify any suspicious ones.

    2. Remove unnecessary or suspicious software using package managers like: apt, yum, or dnf.

  2. Control Audio Group Membership:

    1. Check user permissions for the audio group using:

      getent group audio

    2. Remove non-essential users from the audio group:

      sudo gpasswd -d <username> audio

  3. Use PulseAudio Utilities:

    1. Use pavucontrol to manage application access to the microphone.

    2. Adjust permissions for applications requiring microphone access.

  4. Implement File Integrity Monitoring:

    1. Use tools like auditd to monitor changes to configuration files related to audio devices.

Amazon AWS

  1. Review IAM Policies:

    1. Check IAM roles and permissions that have access to audio devices.

    2. Use AWS IAM Policies to restrict access:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "s3:*",
        "ec2:*"
      ],
      "Resource": "*"
    }
  ]
}

  2. Audit EC2 Instances:

    1. Evaluate installed applications on EC2 instances.

    2. Use Systems Manager to automate compliance checks and remediation of audio capture permissions.

  3. Implement CloudTrail and GuardDuty:

    1. Enable AWS CloudTrail to log API calls and activities.

    2. Use GuardDuty to detect anomalous activities related to audio capture.

Google Cloud Platform (GCP)

  1. Review IAM Roles and Bindings:

    1. Audit IAM roles and their bindings using:

      gcloud projects get-iam-policy [PROJECT_ID]

    2. Restrict permissions with least-privilege principles.

  2. Audit VM Instances:

    1. Use Google Cloud Console to review installed software on VM instances.

    2. Remove unnecessary applications that can access the microphone.

  3. Deploy Security Command Center:

    1. Enable and configure Google Cloud Security Command Center to monitor and alert on suspicious activities.

    2. Utilize Forseti Security to audit and enforce compliance:

      forseti inventory create
forseti model create --source inventory
forseti model use [MODEL_NAME]
forseti scanner run

Microsoft Azure

  1. Review Active Directory Roles:

    1. Audit Azure Active Directory roles to ensure least privilege.

    2. Use Azure CLI to list role assignments:

      az role assignment list --all

  2. Review Azure VM Extensions:

    1. Check extensions installed on Azure VMs which might have access to the microphone.

    2. Remove unnecessary or suspicious extensions via Azure Portal or CLI:

      az vm extension delete --resource-group [ResourceGroupName] --vm-name [VMName] --name [ExtensionName]

  3. Enable Azure Security Center:

    1. Activate Azure Security Center to monitor and detect suspicious activities.

    2. Set up policies that can alert on unauthorized audio capture activities.

  4. Monitor and Audit Logs:

    1. Enable Diagnostic Logs for resources and review them regularly.

    2. Use Azure Log Analytics to set up queries for detecting anomalous audio capture activities:

      SecurityEvent
| where EventID == 4663 and ObjectName contains "microphone"
Jeremy Pickett
Previous

User Execution (T1204)
Next

Video Capture (T1125)