Main findings
- A new custom Wi-Fi scanning payload called Whiffy Recon has been detected.
- Whiffy Recon is used to infect devices compromised by the Smoke Loader botnet.
- Whiffy Recon uses nearby Wi-Fi access points to triangulate the location of infected devices.
- Whiffy Recon then uses the Google Geolocation API to get the coordinates of the device.
- Whiffy Recon creates a wlan.Ink shortcut in your Startup folder for persistence on your device.
- It’s unclear what purpose the information was collected, but researchers suspect it was used to intimidate victims or pressure them to comply with their demands.
Cybersecurity researchers at Secureworks have detected a new custom Wi-Fi scanning payload dubbed Whiffy Recon. The malicious executable seeks out the geolocation of the compromised system. In the case of Whiffy Recon malware, the targeted devices are Windows-based.
Secureworks’ Counter Threat Unit has shared details of a new Smoke Loader botnet that infects compromised devices with a custom Wi-Fi scanning executable. They observed this malicious activity on August 8, 2023.
For reference, Smoke Loader, also known as Dofoil, is a type of botnet malware commonly used to deliver various payloads to compromised computers. It is classified as a downloader and is commonly associated with distribution of other types of malware such as banking Trojans, ransomware and cryptocurrency miners.
Previously, in April 2019, the Smoke Loader botnet was discovered distributing a banking Trojan and stealing $4.6 million from victims. In another campaign exposed in July 2018, he used a botnet to drop his Kronos banking trojan on unsuspecting victims.
Check out the latest campaign here Whiffy Recon malware uses nearby Wi-Fi access points as data points to access and triangulates the location of infected devices. Google Geolocation API. For reference, Google geolocation services use mobile network and Wi-Fi access point data to triangulate the system’s location and return coordinates.
According to Secureworks, blog post, the payload begins by scanning the WLANSVC service on the compromised device. This is done to ensure that the Windows-based device has wireless capability and exits if wireless capability is not present. Note that Whiffy Recon only scans for the presence of features, not whether they are working.
It maintains persistence on the device by creating a wlan.Ink shortcut in the startup folder pointing to the exact location of the Whiffy Recon malware on the system. The main code of this malware has two loops, one to register the bot on the attacker’s girlfriend’s C2 server and another to scan her Wi-Fi capabilities using the Windows WLAN API. .
The second loop iterates every 60 seconds to keep getting geolocation data. Scan results are mapped into a JSON structure and sent to the Google Geolocation API through an HTTP Post request.
This information maps to another JSON structure that contains information about all wireless access points present in the area and the ciphers they use.
It’s not yet clear to the researchers what the purpose behind getting this information is. But they suspect attackers may want to “blackmail or pressure victims to comply with their demands.” Secureworks researchers are urging organizations to use the controls available and limit access to Wi-Fi.
related news
- Gen Z is least likely to share location data with governments
- Researchers Reveal How US Companies Collected Location Data
- WikiLeaks exposes CIA Linux hack, location tracking malware