Description
An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
Platforms
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has gathered audio during a Zoom session.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack ... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has used an audio capturing utility known as SOUNDWAVE that captures microphone input.(Citation: FireEy... |
Associated Software (30)
| ID | Name | Type | Context |
|---|---|---|---|
| S0143 | Flame | Malware | [Flame](https://attack.mitre.org/software/S0143) can record audio using any existing hardware recording devices.(Citation: Kaspersky Flame)(Citation: ... |
| S0240 | ROKRAT | Malware | [ROKRAT](https://attack.mitre.org/software/S0240) has an audio capture and eavesdropping module.(Citation: Securelist ScarCruft May 2019) |
| S0234 | Bandook | Malware | [Bandook](https://attack.mitre.org/software/S0234) has modules that are capable of capturing audio.(Citation: EFF Manul Aug 2016) |
| S0194 | PowerSploit | Tool | [PowerSploit](https://attack.mitre.org/software/S0194)'s <code>Get-MicrophoneAudio</code> Exfiltration module can record system microphone audio.(Cita... |
| S0257 | VERMIN | Malware | [VERMIN](https://attack.mitre.org/software/S0257) can perform audio capture.(Citation: Unit 42 VERMIN Jan 2018) |
| S0467 | TajMahal | Malware | [TajMahal](https://attack.mitre.org/software/S0467) has the ability to capture VoiceIP application audio on an infected host.(Citation: Kaspersky TajM... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can record sound with the microphone.(Citation: GitHub Pupy) |
| S0152 | EvilGrab | Malware | [EvilGrab](https://attack.mitre.org/software/S0152) has the capability to capture audio from a victim machine.(Citation: PWC Cloud Hopper Technical An... |
| S1185 | LightSpy | Malware | [LightSpy](https://attack.mitre.org/software/S1185) uses Apple's built-in AVFoundation Framework library to capture and manage audio recordings then t... |
| S0454 | Cadelspy | Malware | [Cadelspy](https://attack.mitre.org/software/S0454) has the ability to record audio from the compromised host.(Citation: Symantec Chafer Dec 2015) |
| S0336 | NanoCore | Malware | [NanoCore](https://attack.mitre.org/software/S0336) can capture audio feeds from the system.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto... |
| S0115 | Crimson | Malware | [Crimson](https://attack.mitre.org/software/S0115) can perform audio surveillance using microphones.(Citation: Kaspersky Transparent Tribe August 2020... |
| S1016 | MacMa | Malware | [MacMa](https://attack.mitre.org/software/S1016) has the ability to record audio.(Citation: Objective-See MacMa Nov 2021) |
| S0098 | T9000 | Malware | [T9000](https://attack.mitre.org/software/S0098) uses the Skype API to record audio and video calls. It writes encrypted data to <code>%APPDATA%\Intel... |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) captures audio from the computer’s microphone.(Citation: Securelist Machete Aug 2014)(Citation: Cyl... |
| S0163 | Janicab | Malware | [Janicab](https://attack.mitre.org/software/S0163) captured audio and sent it out to a C2 server.(Citation: f-secure janicab)(Citation: Janicab) |
| S0338 | Cobian RAT | Malware | [Cobian RAT](https://attack.mitre.org/software/S0338) has a feature to perform voice recording on the victim’s machine.(Citation: Zscaler Cobian Aug 2... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can record sound using input audio devices.(Citation: ESET InvisiMole June 2018)(Citation: ESET ... |
| S0379 | Revenge RAT | Malware | [Revenge RAT](https://attack.mitre.org/software/S0379) has a plugin for microphone interception.(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense... |
| S0021 | Derusbi | Malware | [Derusbi](https://attack.mitre.org/software/S0021) is capable of performing audio captures.(Citation: FireEye Periscope March 2018) |
References
Frequently Asked Questions
What is T1123 (Audio Capture)?
T1123 is a MITRE ATT&CK technique named 'Audio Capture'. It belongs to the Collection tactic(s). An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening...
How can T1123 be detected?
Detection of T1123 (Audio Capture) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1123?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1123?
Known threat groups using T1123 include: VOID MANTICORE, APT37.