A common theme in literary, cinematic and real-world espionage is the use of a wire or bug that records audio of a target subject. Audio capture jumped out of these spy novels and movies and right into the laps of attackers and malicious hackers. These attackers use a clandestine collection method, normally using microphones and other audio interfacing devices, to siphon information from the target subject.
This article will detail the audio capture collection technique listed in the MITRE ATT&CK matrix and explore what MITRE ATT&CK is, what the audio capture technique is, real-world examples demonstrating different methods of performing this technique, mitigation and detection. If you have ever wondered whether, or how, attackers and malicious hackers are listening to users of compromised systems, let this article serve as an education and a warning.
What is MITRE ATT&CK?
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for the cybersecurity product/service community, the private sector and government use. More information on the MITRE ATT&CK matrix can be found here.
Dangers of abuse of system features
Before we discuss the audio capture attack technique in any detail, we should first discuss what makes it so dangerous. This attack technique is considered an “abuse of system features” technique.
What this means is that the attacker or malicious hacker is leveraging the inherent features of the compromised system against itself. It is sort of like jujitsu or judo, where the opponent’s inherent quality (weight differential, lack of balance, forward momentum and so on) is used against the opponent. Unfortunately for compromised user systems, there is no counter-move to audio capture unless physically placing tape on your system’s audio recording devices is an option.
A little about audio capture
Audio capture is a well-known information collection technique among attackers and malicious hackers. Borrowing a little from cliché espionage movies and tv, they use a compromised system’s peripheral devices, including microphone and other devices, to collect audio with the goal of capturing sensitive information which can be used in furtherance of the attack operation.
There is no one method of carrying out this technique. Malware or scripts deployed by attackers may use available APIs provided by the OS or applications to interact with audio recording devices to steal audio recordings. These recordings may be saved to the local, compromised system and they may be exfiltrated to the attackers at some point.
The best way to study an attack technique that uses different methods to achieve its nefarious goals is to examine notable real-world examples. Below is a list of examples that illustrate these different approaches.
Real-world examples of audio capture
This North Korean attack group uses a Windows-based malware utility called SOUNDWAVE. Using the command line, SOUNDWAVE has the ability to capture audio via the compromised Windows system’s microphone for up to 100 minutes at a time. You can probably imagine the sheer volume of sensitive information that can be collected if a C-level executive of an organization is infected by APT37.
Flame is an advanced toolkit that offers a full range of information-stealing capabilities. For audio capture, Flame uses a utility called Microbe that can list all multimedia devices (and provides complete device configuration) and selects suitable audio recording devices to use. This list extends beyond the microphone device, listing all suitable applications that can record audio, including Skype.
Revenge RAT is a remote access tool that is freely available online. This tool handles its audio capture operation responsibilities differently than those listed above. Namely, it uses a plugin which can capture audio and store it in a compressed file format for exfiltration at a later point in time.
This OSX Trojan relies on a valid developer ID and the carelessness of users for installation, which occurs when the impacted user downloads what is expected to be a document from an infected website. Once installed, this Trojan continuously uploads captured audio from the compromised system to its command-and-control server.
As mentioned earlier, the audio capture attack technique is an “abuse of system feature” tactic. This means that it is particularly difficult to mitigate without disabling the system feature that is being abused. Unless the impacted user can live with disabling audio recording capability on their microphone and all applications that record audio, mitigation will be hard to come by.
Detection is also difficult but is somewhat easier to perform than mitigation. The key to detecting this attack technique is understanding how the attackers are capturing your audio. There are many APIs that can be used to capture audio, which complicates detection.
Solid ideas for what to monitor include looking for strange processes accessing APIs, recording devices, recording devices and out of the ordinary processes writing audio files to disk.
Audio capture is a troubling capability that many attack tools have been using of late. It allows attackers to record audio from a compromised system’s microphone (and applications with audio recording capability) and other audio recording devices to harvest sensitive information about the impacted user.
Audio capture can be hard to mitigate because it takes advantage of an inherent system feature, but it is possible to detect if you know what to look for.