Malware embedded into audio driver is silently recording from system mic

https://twitter.com/Officialwhyte22/status/1995024999934001602

64•CGMthrowaway•2mo ago

Comments

treetalker•2mo ago

https://xcancel.com/Officialwhyte22/status/19950249999340016...

jacquesm•2mo ago

That's an OVH Singapore IP, did they flag this to OVH? That server should be taken offline and the contents preserved for forensics.

monerozcash•2mo ago

They're analysing a file from 2012, OVH probably didn't even own those IPs back then.

jacquesm•2mo ago

So this whole post is BS then.

bri3d•2mo ago

I’m not sure this isn’t just some garden variety RAT that was named “audiod.exe”? The author seems kind of confused; there’s nothing driver related I can see here. They claim the malware was “injected” into a legitimate process, but the Microsoft audio graph process is “audiodg.exe”

fishgoesblub•2mo ago

"compressed .wav files"

Interesting that the malware author isn't using actual compressed audio (No idea why the Twitter poster seems to think wave files are compressed) I would assume that you'd want to transmit as little data to evade detection.

irilesscent•2mo ago

I think its more resource intensive to record a more optimised format.

RossBencina•2mo ago

.wav files are RIFF containers of type 'WAVE'. These files can contain many different types of RIFF chunks, but the required chunks are a 'fmt ' (format information) and 'data' (audio payload). The format chunk describes the encoding of the audio payload data, among other information (channel count, sample rate).[0]

Although .wav files are, today, typically used for non-compressed PCM data (WAVE_FORMAT_PCM), even the original 1991 RIFF specification allowed for three compressed formats: mu-law, a-law, ADPCM.[1] These are all efficient to compute and I don't find it completely implausible that such low quality compression would be used. Modern .wav files may use the WAVEFORMATEX or WAVEFORMATEXTENSIBLE chunk, which uses GUIDs to identify formats. It supports the original compressed WAVE formats,[2] but also more modern compressed formats. Here is For example, here is Microsoft's list of sub-format GUIDs (includes MPEG formats and AC-3):

https://learn.microsoft.com/en-us/windows-hardware/drivers/a...

[0] https://en.wikipedia.org/wiki/WAV

[1] https://www.aelius.com/njh/wavemetatools/doc/riffmci.pdf heading "WAVE Format Categories".

[2] https://learn.microsoft.com/en-us/windows-hardware/drivers/d...

jml7c5•2mo ago

According to the vx-underground Twitter account, this is just Regin (which was first described in 2014): https://x.com/vxunderground/status/1995309917805179141

https://en.wikipedia.org/wiki/Regin_(malware)

bri3d•2mo ago

I’m not even convinced the audiod thing is Regin; whatever is going on is way less sophisticated even based on what the OP posted from volatility. I don’t think the hash they gave vx-underground is even from the sample from the original screenshots.

I think this person is just karma/clout farming badly and the screenshots are of some even more basic RAT.

ashleyn•2mo ago

Well at the very least he confirmed Regin continues to circulate.

unsnap_biceps•2mo ago

He hasn't actually confirmed that the image he's processing is recent or if it was a test image and by "I found", he means he was able to find the thing that was known to be there. The Twitter thread has some people asking for clarification and none have been received yet.

efilife•2mo ago

I quickly skimmed at through twitter and youtube profiles and it's apparent that this guy has no idea of what he's talking about

ugh123•2mo ago

I actually get that impression too. There's a surprising lack of detail for what he's trying to announce as a major exploit and feat of discovery.

irilesscent•2mo ago

What makes me suspect them the most was the fact that they use pure neon green text on black as their tty color. (seriously who does that?)

efilife•2mo ago

lol the amount of typos here is abysmal, I must have been half-asleep

snorbleck•2mo ago

you'd think the whole "micmon.dll" reference would give it away...

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

The Waymo World Model

How we made geo joins 400× faster with H3 indexes

A century of hair samples proves leaded gas ban worked

Monty: A minimal, secure Python interpreter written in Rust for use by AI

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Dark Alley Mathematics

Show HN: I spent 4 years building a UI design tool with only the features I use

Show HN: If you lose your memory, how to regain access to your computer?

Microsoft open-sources LiteBox, a security-focused library OS

Show HN: ARM64 Android Dev Kit

Sheldon Brown's Bicycle Technical Info

PC Floppy Copy Protection: Vault Prolok

Hackers (1995) Animated Experience

An Update on Heroku

Female Asian Elephant Calf Born at the Smithsonian National Zoo

Delimited Continuations vs. Lwt for Threads

Show HN: R3forth, a ColorForth-inspired language with a tiny VM

How to effectively write quality code with AI

I spent 5 years in DevOps – Solutions engineering gave me what I was missing

Introducing the Developer Knowledge API and MCP Server

Learning from context is harder than we thought

Understanding Neural Network, Visually

I now assume that all ads on Apple news are scams

FORTH? Really!?

I'm going to cure my girlfriend's brain tumor

Evaluating and mitigating the growing risk of LLM-discovered 0-days

How virtual textures work

Show HN: Smooth CLI – Token-efficient browser for AI agents

Show HN: Slack CLI for Agents