Skip to content

T1614 System Location Discovery

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.123 Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.1 In cloud environments, an instance’s availability zone may also be discovered by accessing the instance metadata service from the instance.45

Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.62

Item Value
ID T1614
Sub-techniques T1614.001
Tactics TA0007
Platforms IaaS, Linux, Windows, macOS
Permissions required User
Version 1.0
Created 01 April 2021
Last Modified 15 October 2021

Procedure Examples

ID Name Description
S1025 Amadey Amadey does not run any tasks or install additional malware if the victim machine is based in Russia.8
S0115 Crimson Crimson can identify the geographical location of a victim host.10
S0673 DarkWatchman DarkWatchman can identity the OS locale of a compromised host.14
S0632 GrimAgent GrimAgent can identify the country code on a compromised host.9
S0262 QuasarRAT QuasarRAT can determine the country a victim host is located in.7
S0481 Ragnar Locker Before executing malicious code, Ragnar Locker checks the Windows API GetLocaleInfoW and doesn’t encrypt files if it finds a former Soviet country.1
S1018 Saint Bot Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.1213
S0461 SDBbot SDBbot can collected the country code of a compromised machine.11
G1008 SideCopy SideCopy has identified the country location of a compromised host.15

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process OS API Execution

References

  1. FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved April 1, 2021. 

  2. Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals target you based on where you live. Retrieved April 1, 2021. 

  3. Abrams, L. (2020, October 23). New RAT malware gets commands via Discord, has ransomware feature. Retrieved April 1, 2021. 

  4. Amazon. (n.d.). Instance identity documents. Retrieved April 2, 2021. 

  5. Microsoft. (2021, February 21). Azure Instance Metadata Service (Windows). Retrieved April 2, 2021. 

  6. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021. 

  7. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. 

  8. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. 

  9. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  10. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  11. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  12. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  13. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  14. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  15. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.