Description
Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
Platforms
Sub-Techniques (1)
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1008 | SideCopy | [SideCopy](https://attack.mitre.org/groups/G1008) has identified the country location of a compromised host.(Citation: MalwareBytes SideCopy Dec 2021) |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has obtained the victim's system current location.(Citation: CISA AA24-038A PRC Critical Infrast... |
Associated Software (24)
| ID | Name | Type | Context |
|---|---|---|---|
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) can identity the OS locale of a compromised host.(Citation: Prevailion DarkWatchman 2021) |
| S1138 | Gootloader | Malware | [Gootloader](https://attack.mitre.org/software/S1138) can use IP geolocation to determine if the person browsing to a compromised site is within a ta... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has obtained the location of the victim device by leveraging `GetSystemDefaultLCID`.(Citation: Eset P... |
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) can determine the geographical location of a victim host by checking the language.(Citation:... |
| S9034 | Tsundere Botnet | Malware | [Tsundere Botnet](https://attack.mitre.org/software/S9034) has checked the victim machine’s location by obtaining the culture name of the machine.(Cit... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) queries system locale information during execution.(Citation: Ensilo Darkgate 2018) Later versions... |
| S1124 | SocGholish | Malware | [SocGholish](https://attack.mitre.org/software/S1124) can use IP-based geolocation to limit infections to victims in North America, Europe, and a smal... |
| S1248 | XORIndex Loader | Malware | [XORIndex Loader](https://attack.mitre.org/software/S1248) can identify the geographical location of a victim host.(Citation: Socket BeaverTail XORInd... |
| S0262 | QuasarRAT | Tool | [QuasarRAT](https://attack.mitre.org/software/S0262) can determine the country a victim host is located in.(Citation: CISA AR18-352A Quasar RAT Decemb... |
| S9030 | SameCoin | Malware | [SameCoin](https://attack.mitre.org/software/S9030) can attempt to connect to the Israel Home Front Command site, oref.org[.]il, which is only reachab... |
| S9019 | PureCrypter | Malware | [PureCrypter](https://attack.mitre.org/software/S9019) can use `kernel32!GetGeoInfo` to determine system location.(Citation: Zscaler PureCrypter JUN 2... |
| S0461 | SDBbot | Malware | [SDBbot](https://attack.mitre.org/software/S0461) can collected the country code of a compromised machine.(Citation: Korean FSI TA505 2020) |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) has gathered detailed information about victims’ systems, such as IP addresses, and geoloca... |
| S0481 | Ragnar Locker | Malware | Before executing malicious code, [Ragnar Locker](https://attack.mitre.org/software/S0481) checks the Windows API <code>GetLocaleInfoW</code> and doesn... |
| S1148 | Raccoon Stealer | Malware | [Raccoon Stealer](https://attack.mitre.org/software/S1148) collects the `Locale Name` of the infected device via `GetUserDefaultLocaleName` to determi... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has leveraged geofencing logic to detect whether it is operating in a Russian associated time zon... |
| S0115 | Crimson | Malware | [Crimson](https://attack.mitre.org/software/S0115) can identify the geographical location of a victim host.(Citation: Kaspersky Transparent Tribe Augu... |
| S1018 | Saint Bot | Malware | [Saint Bot](https://attack.mitre.org/software/S1018) has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus,... |
| S0632 | GrimAgent | Malware | [GrimAgent](https://attack.mitre.org/software/S0632) can identify the country code on a compromised host.(Citation: Group IB GrimAgent July 2021) |
| S1249 | HexEval Loader | Malware | [HexEval Loader](https://attack.mitre.org/software/S1249) has a function where the C2 endpoint can identify the geographical location of a victim host... |
References
- Abrams, L. (2020, October 23). New RAT malware gets commands via Discord, has ransomware feature. Retrieved April 1, 2021.
- Amazon. (n.d.). Instance identity documents. Retrieved April 2, 2021.
- Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.
- FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved September 12, 2024.
- Microsoft. (2021, February 21). Azure Instance Metadata Service (Windows). Retrieved April 2, 2021.
- Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals target you based on where you live. Retrieved April 1, 2021.
Frequently Asked Questions
What is T1614 (System Location Discovery)?
T1614 is a MITRE ATT&CK technique named 'System Location Discovery'. It belongs to the Discovery tactic(s). Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org...
How can T1614 be detected?
Detection of T1614 (System Location Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1614?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1614?
Known threat groups using T1614 include: SideCopy, Volt Typhoon.