New "Whiffy Recon" Malware Triangulates Infected Device Location via Wi-Fi Every Minute

24.8.23  Virus  The Hacker News

Location Malware

The SmokeLoader malware is being used to deliver a new Wi-Fi scanning malware strain called Whiffy Recon on compromised Windows machines.

"The new malware strain has only one operation. Every 60 seconds it triangulates the infected systems' positions by scanning nearby Wi-Fi access points as a data point for Google's geolocation API," Secureworks Counter Threat Unit (CTU) said in a statement shared with The Hacker News. "The location returned by Google's Geolocation API is then sent back to the adversary."

SmokeLoader, as the name implies, is a loader malware whose sole purpose is to drop additional payloads onto a host. Since 2014, the malware has been offered for sale to Russian-based threat actors. It's traditionally distributed via phishing emails.

Cybersecurity
Whiffy Recon works by checking for the WLAN AutoConfig service (WLANSVC) on the infected system and terminating itself if the service name doesn't exist. It's worth noting that the scanner does not validate if it's operational.

Persistence is achieved by means of a shortcut that's added to the Windows Startup folder.

Location Malware

"What is concerning about our discovery of Whiffy Recon is the motivation for its operation is unclear," Don Smith, VP of threat intelligence at Secureworks CTU, said.

"Who, or what, is interested in the actual location of an infected device? The regularity of the scan at every 60 seconds is unusual, why update every minute? With this type of data a threat actor could form a picture of the geolocation of a device, mapping the digital to the physical."

Cybersecurity
The malware is also configured to register with a remote command-and-control (C2) server by passing along a randomly generated "botID" in an HTTP POST request, following which the server responds with a success message and a secret unique identified that's subsequently saved in a file named "%APPDATA%\Roaming\wlan\str-12.bin."

The second phase of the attack involves scanning for Wi-Fi access points via the Windows WLAN API every 60 seconds. The results of the scan are forwarded to the Google Geolocation API to triangulate the system's whereabouts and ultimately transmit that information to the C2 server in the form of a JSON string.

"This kind of activity/capability is very rarely used by criminal actors," Smith added. "As a standalone capability it lacks the ability to quickly monetise. The unknowns here are worrying and the reality is that it could be used to support any number of nefarious motivations."