Geofencing

Created the Monday 18 March 2019. Updated 6 months, 2 weeks ago.

Geofencing in malware refers to a technique used by cybercriminals to restrict the distribution or activation of malicious software based on geographical location. Malware authors use geofencing to target specific regions or avoid certain areas, such as their home country, in order to evade detection, minimize the chances of being investigated, or maximize the effectiveness of their attacks.

Geofencing works by checking the IP address, GPS coordinates, or other location data of a potential victim's device. If the device is within the predetermined boundaries defined by the attacker, the malware may proceed with its intended actions, such as infecting the device, stealing data, or launching further attacks. Conversely, if the device is outside the defined boundaries, the malware may remain dormant or deactivate itself to avoid detection.

Malware authors might use geofencing for various reasons, such as:

Targeting specific countries or regions: Attackers may focus on certain areas due to economic, political, or strategic reasons, or to exploit known vulnerabilities in specific regions.
Avoiding detection by security researchers: By restricting the distribution of malware to specific regions, attackers may make it more difficult for security researchers to obtain and analyze samples of the malicious software.
Evading law enforcement: By not targeting their own country, cybercriminals can minimize the risk of drawing the attention of local law enforcement agencies.
Complying with criminal partnerships: Some cybercriminal groups may have agreements not to target each other's territories, and geofencing allows them to abide by these agreements while still conducting their operations.

Technique Identifier

U1006

Technique Tags

geofencing malware cybercriminals geographical location IP address GPS coordinates location data victim's device predetermined boundaries distribution activation malicious software targeting regions

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

RegCloseKey

Code Snippets

Description

This code snippet demonstrates a basic geofencing concept using Python. It checks if a target location (given by latitude and longitude coordinates) is within a specified radius (in kilometers) from a central point.

from geopy import Point
from geopy.distance import great_circle

def is_within_geofence(target_lat, target_lon, center_lat, center_lon, radius_km):
    center_point = Point(center_lat, center_lon)
    target_point = Point(target_lat, target_lon)

    distance = great_circle(center_point, target_point).km

    return distance <= radius_km

# Example usage
target_latitude = 40.7128
target_longitude = -74.0060

center_latitude = 40.730610
center_longitude = -73.935242

radius = 5  # 5 km

if is_within_geofence(target_latitude, target_longitude, center_latitude, center_longitude, radius):
    print("Target is within the geofence.")
else:
    print("Target is outside the geofence.")

Description

In this code, the IsLanguageInstalled function is used to check if the specified language, indicated by its LCID (Language Code Identifier), is installed on the system. In this case, the malware could check the languages installed on a Windows machine and not run if Russian is present.

#include <Windows.h>
#include <winreg.h>

#define LANG_KEY "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language"
#define RUSSIAN_LCID 1049

// Check if the specified LCID is installed on the system
bool IsLanguageInstalled(LCID lcid)
{
  HKEY hKey;
  if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, LANG_KEY, 0, KEY_READ, &hKey) == ERROR_SUCCESS)
  {
    DWORD dwIndex = 0;
    WCHAR szValueName[32];
    DWORD dwValueNameLen = sizeof(szValueName);
    while (RegEnumValue(hKey, dwIndex++, szValueName, &dwValueNameLen, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
    {
      LCID lcidValue = _wtoi(szValueName);
      if (lcidValue == lcid)
      {
        RegCloseKey(hKey);
        return true;
      }
    }
    RegCloseKey(hKey);
  }
  return false;
}

int main()
{
  if (IsLanguageInstalled(RUSSIAN_LCID))
  {
    // Russian language is installed, do not run malware
    return 0;
  }
  else
  {
    // Russian language is not installed, run malware
    // ...
  }
  return 0;
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

https://www.vmray.com/cyber-security-blog/sandbox-evasion-techniques-part-4/