System Location Discovery
Sub-techniques (1)
ID | Name |
---|---|
.001 | System Language Discovery |
Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as GetLocaleInfoW
can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
Procedure Examples |
|
Name | Description |
---|---|
DarkWatchman |
DarkWatchman can identity the OS locale of a compromised host.(Citation: Prevailion DarkWatchman 2021) |
Gootloader |
Gootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea.(Citation: SentinelOne Gootloader June 2021) |
SideCopy |
SideCopy has identified the country location of a compromised host.(Citation: MalwareBytes SideCopy Dec 2021) |
Cuckoo Stealer |
Cuckoo Stealer can determine the geographical location of a victim host by checking the language.(Citation: Kandji Cuckoo April 2024) |
DarkGate |
DarkGate queries system locale information during execution.(Citation: Ensilo Darkgate 2018) Later versions of DarkGate query |
SocGholish |
SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.(Citation: Secureworks Gold Prelude Profile) |
QuasarRAT |
QuasarRAT can determine the country a victim host is located in.(Citation: CISA AR18-352A Quasar RAT December 2018) |
SDBbot |
SDBbot can collected the country code of a compromised machine.(Citation: Korean FSI TA505 2020) |
Ragnar Locker |
Before executing malicious code, Ragnar Locker checks the Windows API |
Raccoon Stealer |
Raccoon Stealer collects the `Locale Name` of the infected device via `GetUserDefaultLocaleName` to determine whether the string `ru` is included, but in analyzed samples no action is taken if present.(Citation: S2W Racoon 2022) |
Crimson |
Crimson can identify the geographical location of a victim host.(Citation: Kaspersky Transparent Tribe August 2020) |
Saint Bot |
Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
GrimAgent |
GrimAgent can identify the country code on a compromised host.(Citation: Group IB GrimAgent July 2021) |
Amadey |
Amadey does not run any tasks or install additional malware if the victim machine is based in Russia.(Citation: BlackBerry Amadey 2020) |
Volt Typhoon |
Volt Typhoon has obtained the victim's system current location.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
Detection
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling GetLocaleInfoW
to gather information.(Citation: FBI Ragnar Locker 2020)
Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
References
- Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals target you based on where you live. Retrieved April 1, 2021.
- Microsoft. (2021, February 21). Azure Instance Metadata Service (Windows). Retrieved April 2, 2021.
- FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved September 12, 2024.
- Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.
- Amazon. (n.d.). Instance identity documents. Retrieved April 2, 2021.
- Abrams, L. (2020, October 23). New RAT malware gets commands via Discord, has ransomware feature. Retrieved April 1, 2021.
- Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
- Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
- Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
- Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
- Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
- Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
- Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
- CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
- Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
- S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
- Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
- Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.