System Location Discovery: Выявление языка системы
Other sub-techniques of System Location Discovery (1)
ID | Название |
---|---|
.001 | Выявление языка системы |
Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)
There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.(Citation: CrowdStrike Ryuk January 2019)
For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
or parsing the outputs of Windows API functions GetUserDefaultUILanguage
, GetSystemDefaultUILanguage
, GetKeyboardLayoutList
and GetUserDefaultLangID
.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)
On a macOS or Linux system, adversaries may query locale
to retrieve the value of the $LANG
environment variable.
Примеры процедур |
|
Название | Описание |
---|---|
During Operation Dream Job, Lazarus Group deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.(Citation: ClearSky Lazarus Aug 2020) |
|
Cuckoo Stealer |
Cuckoo Stealer can check the systems `LANG` environmental variable to prevent infecting devices from Armenia (`hy_AM`), Belarus (`be_BY`), Kazakhstan (`kk_KZ`), Russia (`ru_RU`), and Ukraine (`uk_UA`).(Citation: Kandji Cuckoo April 2024) |
MarkiRAT |
MarkiRAT can use the |
XCSSET |
XCSSET uses AppleScript to check the host's language and location with the command |
Cuba |
Cuba can check if Russian language is installed on the infected machine by using the function |
Ke3chang |
Ke3chang has used implants to collect the system language ID of a compromised machine.(Citation: Microsoft NICKEL December 2021) |
Flagpro |
Flagpro can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog.(Citation: NTT Security Flagpro new December 2021) |
IcedID |
IcedID used the following command to check the country/language of the active console: ` cmd.exe /c chcp >&2`.(Citation: DFIR_Quantum_Ransomware) |
Avaddon |
Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities.(Citation: Arxiv Avaddon Feb 2021) |
Maze |
Maze has checked the language of the machine with function |
Mispadu |
Mispadu checks and will terminate execution if the compromised system’s language ID is not Spanish or Portuguese.(Citation: Segurança Informática URSA Sophisticated Loader 2020)(Citation: SCILabs Malteiro 2021) |
Spark |
Spark has checked the results of the |
Ryuk |
Ryuk has been observed to query the registry key |
Gootloader |
Gootloader can determine if a victim's computer is running an operating system with specific language preferences.(Citation: Sophos Gootloader) |
S-Type |
S-Type has attempted to determine if a compromised system was using a Japanese keyboard via the `GetKeyboardType` API call.(Citation: Cylance Dust Storm) |
Bazar |
Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian.(Citation: NCC Group Team9 June 2020) |
DEATHRANSOM |
Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit.(Citation: FireEye FiveHands April 2021) |
Neoichor |
Neoichor can identify the system language on a compromised host.(Citation: Microsoft NICKEL December 2021) |
Clop |
Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the |
Zeus Panda |
Zeus Panda queries the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN.(Citation: Talos Zeus Panda Nov 2017) |
GrimAgent |
GrimAgent has used |
DropBook |
DropBook has checked for the presence of Arabic language in the infected machine's settings.(Citation: BleepingComputer Molerats Dec 2020) |
REvil |
REvil can check the system language using |
Lazarus Group |
Lazarus Group has deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.(Citation: ClearSky Lazarus Aug 2020) |
SynAck |
SynAck lists all the keyboard layouts installed on the victim’s system using |
Misdat |
Misdat has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call `GetKeyboardType`.(Citation: Cylance Dust Storm) |
SharpStage |
SharpStage has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed.(Citation: BleepingComputer Molerats Dec 2020) |
Malteiro |
Malteiro will terminate Mispadu's infection process if the language of the victim machine is not Spanish or Portuguese.(Citation: SCILabs Malteiro 2021) |
Обнаружение
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system language information. This may include calls to various API functions and interaction with system configuration settings such as the Windows Registry.
Ссылки
- ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
- Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
- Fedor Sinitsyn. (2021, May 25). Evolution of JSWorm Ransomware. Retrieved August 18, 2021.
- Cybereason Nocturnus. (2021, April 1). Cybereason vs. Darkside Ransomware. Retrieved August 18, 2021.
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- Pierre-Marc Bureau. (2009, January 15). Malware Trying to Avoid Some Countries. Retrieved August 18, 2021.
- Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
- GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
- Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
- Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
- MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
- Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
- DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024.
- Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
- Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
- SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
- Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024.
- Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
- Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
- Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
- Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
- Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
- Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.