Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.[1]
There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.[2]
For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
or parsing the outputs of Windows API functions GetUserDefaultUILanguage
, GetSystemDefaultUILanguage
, GetKeyboardLayoutList
and GetUserDefaultLangID
.[3][4][5]
On a macOS or Linux system, adversaries may query locale
to retrieve the value of the $LANG
environment variable.
ID | Name | Description |
---|---|---|
S0640 | Avaddon |
Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities.[6] |
S0534 | Bazar |
Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian.[7] |
S0611 | Clop |
Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the |
S0625 | Cuba |
Cuba can check if Russian language is installed on the infected machine by using the function |
S0616 | DEATHRANSOM |
Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit.[10] |
S0547 | DropBook |
DropBook has checked for the presence of Arabic language in the infected machine's settings.[11] |
S0696 | Flagpro |
Flagpro can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog.[12] |
S0632 | GrimAgent |
GrimAgent has used |
G0004 | Ke3chang |
Ke3chang has used implants to collect the system language ID of a compromised machine.[14] |
G0032 | Lazarus Group |
Lazarus Group has deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.[15] |
S0652 | MarkiRAT |
MarkiRAT can use the |
S0449 | Maze |
Maze has checked the language of the machine with function |
S0691 | Neoichor |
Neoichor can identify the system language on a compromised host.[14] |
S0496 | REvil |
REvil can check the system language using |
S0446 | Ryuk |
Ryuk has been observed to query the registry key |
S0546 | SharpStage |
SharpStage has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed.[11] |
S0543 | Spark |
Spark has checked the results of the |
S0242 | SynAck |
SynAck lists all the keyboard layouts installed on the victim’s system using |
S0658 | XCSSET |
XCSSET uses AppleScript to check the host's language and location with the command |
S0330 | Zeus Panda |
Zeus Panda queries the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN.[21] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | OS API Execution |
Process Creation | ||
DS0024 | Windows Registry | Windows Registry Key Access |
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system language information. This may include calls to various API functions and interaction with system configuration settings such as the Windows Registry.