Description
Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)
There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.(Citation: CrowdStrike Ryuk January 2019)
For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)
On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.
Platforms
Threat Groups (5)
| ID | Group | Context |
|---|---|---|
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used implants to collect the system language ID of a compromised machine.(Citation: Microsoft NI... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has deployed shellcode to check for Japanese Microsoft Office settings.(Citation: ITOCHU LODEINFO ... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) identified system language settings to determine follow-on execution.(Citation: Picus BlackByte 202... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has identified system language codes on a compromised host to determine if the victim falls under ... |
| G1026 | Malteiro | [Malteiro](https://attack.mitre.org/groups/G1026) will terminate [Mispadu](https://attack.mitre.org/software/S1122)'s infection process if the languag... |
Associated Software (33)
| ID | Name | Type | Context |
|---|---|---|---|
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) can check the systems `LANG` environmental variable to prevent infecting devices from Armeni... |
| S0652 | MarkiRAT | Malware | [MarkiRAT](https://attack.mitre.org/software/S0652) can use the <code>GetKeyboardLayout</code> API to check if a compromised host's keyboard is set to... |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) uses AppleScript to check the host's language and location with the command <code>user locale of (ge... |
| S0625 | Cuba | Malware | [Cuba](https://attack.mitre.org/software/S0625) can check if Russian language is installed on the infected machine by using the function <code>GetKeyb... |
| S0696 | Flagpro | Malware | [Flagpro](https://attack.mitre.org/software/S0696) can check whether the target system is using Japanese, Taiwanese, or English through detection of s... |
| S0483 | IcedID | Malware | [IcedID](https://attack.mitre.org/software/S0483) used the following command to check the country/language of the active console: ` cmd.exe /c chcp >... |
| S0640 | Avaddon | Malware | [Avaddon](https://attack.mitre.org/software/S0640) checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independen... |
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) has checked the language of the machine with function <code>GetUserDefaultUILanguage</code> and termin... |
| S1122 | Mispadu | Malware | [Mispadu](https://attack.mitre.org/software/S1122) checks and will terminate execution if the compromised system’s language ID is not Spanish or Portu... |
| S0543 | Spark | Malware | [Spark](https://attack.mitre.org/software/S0543) has checked the results of the <code>GetKeyboardLayoutList</code> and the language name returned by <... |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has checked supported languages on the compromised system.(Citation: CSIRT CTI MUSTANG PANDA PUBLOA... |
| S0446 | Ryuk | Malware | [Ryuk](https://attack.mitre.org/software/S0446) has been observed to query the registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\... |
| S1138 | Gootloader | Malware | [Gootloader](https://attack.mitre.org/software/S1138) can determine if a victim's computer is running an operating system with specific language prefe... |
| S0085 | S-Type | Malware | [S-Type](https://attack.mitre.org/software/S0085) has attempted to determine if a compromised system was using a Japanese keyboard via the `GetKeyboar... |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) can looks for the “en_US” locale on the victim’s machine.(Citation: Kaspersky LODEINFO Part II OCT... |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can perform a check to ensure that the operating system's keyboard and language settings are not set ... |
| S0616 | DEATHRANSOM | Malware | Some versions of [DEATHRANSOM](https://attack.mitre.org/software/S0616) have performed language ID and keyboard layout checks; if either of these matc... |
| S0691 | Neoichor | Malware | [Neoichor](https://attack.mitre.org/software/S0691) can identify the system language on a compromised host.(Citation: Microsoft NICKEL December 2021) |
| S0611 | Clop | Malware | [Clop](https://attack.mitre.org/software/S0611) has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russ... |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) can retrieve system default language and time zone.(Citation: Splunk RedLine Stealer June 2... |
References
- Cybereason Nocturnus. (2021, April 1). Cybereason vs. Darkside Ransomware. Retrieved August 18, 2021.
- Fedor Sinitsyn. (2021, May 25). Evolution of JSWorm Ransomware. Retrieved August 18, 2021.
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
- Pierre-Marc Bureau. (2009, January 15). Malware Trying to Avoid Some Countries. Retrieved August 18, 2021.
Frequently Asked Questions
What is T1614.001 (System Language Discovery)?
T1614.001 is a MITRE ATT&CK technique named 'System Language Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors,...
How can T1614.001 be detected?
Detection of T1614.001 (System Language Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1614.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1614.001?
Known threat groups using T1614.001 include: Ke3chang, MirrorFace, BlackByte, Storm-0501, Malteiro.