System Location Discovery: System Language Discovery

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.[1]

There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.[2]

For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.[3][4][5]

On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.

ID: T1614.001
Sub-technique of:  T1614
Tactic: Discovery
Platforms: Linux, Windows, macOS
Permissions Required: User
Contributors: Harshal Tupsamudre, Qualys
Version: 1.0
Created: 18 August 2021
Last Modified: 15 October 2021

Procedure Examples

ID Name Description
S0640 Avaddon

Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities.[6]

S0534 Bazar

Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian.[7]

S0611 Clop

Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the GetTextCharset function.[8]

S0625 Cuba

Cuba can check if Russian language is installed on the infected machine by using the function GetKeyboardLayoutList.[9]

S0616 DEATHRANSOM

Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit.[10]

S0547 DropBook

DropBook has checked for the presence of Arabic language in the infected machine's settings.[11]

S0696 Flagpro

Flagpro can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog.[12]

S0632 GrimAgent

GrimAgent has used Accept-Language to identify hosts in the United Kingdom, United States, France, and Spain.[13]

G0004 Ke3chang

Ke3chang has used implants to collect the system language ID of a compromised machine.[14]

S0652 MarkiRAT

MarkiRAT can use the GetKeyboardLayout API to check if a compromised host's keyboard is set to Persian.[15]

S0449 Maze

Maze has checked the language of the machine with function GetUserDefaultUILanguage and terminated execution if the language matches with an entry in the predefined list.[16]

S0083 Misdat

Misdat has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call GetKeyboardType.[17]

S0691 Neoichor

Neoichor can identify the system language on a compromised host.[14]

C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.[18]

S0496 REvil

REvil can check the system language using GetUserDefaultUILanguage and GetSystemDefaultUILanguage. If the language is found in the list, the process terminates.[19]

S0446 Ryuk

Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage. If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian), it stops execution.[2]

S0085 S-Type

S-Type has attempted to determine if a compromised system was using a Japanese keyboard via the GetKeyboardType API call.[17]

S0546 SharpStage

SharpStage has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed.[11]

S0543 Spark

Spark has checked the results of the GetKeyboardLayoutList and the language name returned by GetLocaleInfoA to make sure they contain the word "Arabic" before executing.[20]

S0242 SynAck

SynAck lists all the keyboard layouts installed on the victim’s system using GetKeyboardLayoutList API and checks against a hardcoded language code list. If a match if found, SynAck sleeps for 300 seconds and then exits without encrypting files.[5]

S0658 XCSSET

XCSSET uses AppleScript to check the host's language and location with the command user locale of (get system info).[21]

S0330 Zeus Panda

Zeus Panda queries the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN.[22]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

DS0009 Process OS API Execution

Monitor for API calls that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

Process Creation

Monitor for newly executed processes that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

DS0024 Windows Registry Windows Registry Key Access

Monitor for access to windows registry keys that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

References