1. Home
  2. Techniques
  3. Enterprise
  4. 系统位置发现

系统位置发现

ID Name
T1614.001 合法API隐蔽调用
T1614.002 地理位置间接查询

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.[1][2][3] Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.[1] In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.[4][5]

Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.[6][2]

ID: T1614
Sub-techniques:  T1614.001, T1614.002
Tactic: 环境测绘
Platforms: IaaS, Linux, Windows, macOS
Contributors: Hiroki Nagahama, NEC Corporation; Katie Nickels, Red Canary; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Wes Hurd
Version: 1.1
Created: 01 April 2021
Last Modified: 15 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

行为透明

系统位置发现技术使用操作系统自带的合法API(如 GetLocaleInfoW函数)或外部合法远程工具(如IP地理位置查询服务)来推测系统的位置。在这些系统允许的合法操作下,攻击者的行为看似正常,与常规系统操作或外部互联网查询活动无异,不会引起异常警报,防御者难以辨别异常行为。

时空释痕

通过代理节点动态轮换和低频次分布式查询,将集中式位置发现任务分散至长时间跨度和多地理区域。合法API寄生技术中的请求碎片化策略,使得单次侦察行为特征浓度被稀释在服务商每日数亿级别的合法请求中,传统基于时间窗口或空间聚类的检测模型难以生效。

Procedure Examples

ID Name Description
S1025 Amadey

Amadey does not run any tasks or install additional malware if the victim machine is based in Russia.[7]
S0115 Crimson

Crimson can identify the geographical location of a victim host.[8]

S1153 Cuckoo Stealer

Cuckoo Stealer can determine the geographical location of a victim host by checking the language.[9]
S1111 DarkGate

DarkGate queries system locale information during execution.[10] Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.[11]
S0673 DarkWatchman

DarkWatchman can identity the OS locale of a compromised host.[12]
S1138 Gootloader

Gootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea.[13]
S0632 GrimAgent

GrimAgent can identify the country code on a compromised host.[14]
S0262 QuasarRAT

QuasarRAT can determine the country a victim host is located in.[15]
S1148 Raccoon Stealer

Raccoon Stealer collects the Locale Name of the infected device via GetUserDefaultLocaleName to determine whether the string ru is included, but in analyzed samples no action is taken if present.[16]
S0481 Ragnar Locker

Before executing malicious code, Ragnar Locker checks the Windows API GetLocaleInfoW and doesn't encrypt files if it finds a former Soviet country.[1]
S1018 Saint Bot

Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.[17][18]
S0461 SDBbot

SDBbot can collected the country code of a compromised machine.[19]
G1008 SideCopy

SideCopy has identified the country location of a compromised host.[20]
S1124 SocGholish

SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.[21]
G1017 Volt Typhoon

Volt Typhoon has obtained the victim's system current location.[22]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may gather information in an attempt to calculate the geographical location of a victim host.
DS0009 Process OS API Execution

Remote access tools with built-in features may interact directly with the Windows API, such as calling GetLocaleInfoW to gather information.[1]
Process Creation

Monitor newly executed processes that may gather information in an attempt to calculate the geographical location of a victim host.

References

  1. FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved September 12, 2024.
  2. Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals target you based on where you live. Retrieved April 1, 2021.
  3. Abrams, L. (2020, October 23). New RAT malware gets commands via Discord, has ransomware feature. Retrieved April 1, 2021.
  4. Amazon. (n.d.). Instance identity documents. Retrieved April 2, 2021.
  5. Microsoft. (2021, February 21). Azure Instance Metadata Service (Windows). Retrieved April 2, 2021.
  6. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.
  7. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  8. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  9. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  10. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  11. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  1. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  2. Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
  3. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  4. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  5. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  6. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  7. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  8. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  9. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  10. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
  11. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.